acah 


See at 


y I? i AM RAI? 9 i 
f at yaaa iantabercelay 
Ree B fi 
ti 


NOT TO BE TAKEN FROM THIS ROOM 


ie es A 
Aah dott 


Was 


TAT AS 
aes 

oa 
4 


Webel 
Leh ti 


ee 
ey 


ts 
ity 
iy Ay ae 


“RATAN 
? pas 
fi ied 


Baieagsneliewiye' 
AHN IDE 


PONTE Rote 
Ne Wot 
\" ¥ 
We i NPSRS MAH 
an AL HALEN PER Si 
. Wve Net Ane & 4 NEN BY 
PASSA aaa Mutt g A oii KN 


ae 
SON a ba Wet nr 
R i 


Gx awpnis 


UNINERSTIACLS 


Digitized by the Internet Archive 
in 2023 with funding trom 
University of Alberta Library 


https://archive.org/details/Wagner1983 


@ Se 


i) 


THE UNIVERSITY OF ALBERTA 


Verification of S*(QM-1) Microprograms 
by 


Le i . 
(nn 


\ e) Alan Shelton Wagner 


\ 


es 


AO THESLS 
SUBMITTED TO THE FACULTY OF GRADUATE STUDIES AND RESEARCH 
IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE DEGREE 


OF Master of Science 


Department of Computing Science 


EDMONTON, ALBERTA 


Fall 1983 


ah i 


“a wet 


erste 


To my parents 
and 


my wife, Jane 


iv 


i! 


7 
ee 
he een, — : - Alls 


A 2: : 


#4 


_ 
Kadie 7 a A) i oF 


7 ] 


Abstract 
In recent years, much effort has been devoted to the design 
and implementation of high level microprogramming languages. 
One of the goals for such languages is to facilitate the 
formal verification of microprograms using Hoare's inductive 
assertion method. Essential to the use of this method is an 
axlomatic definition of the microprogramming language. 

In this thesis, the axiomatization of the machine 
dependent microprogramming language S*(QM-1) is described. 
This language is an instantiation of the machine independent 
language schema S* for the Nanodata QM-1 "nanolevel" 
architecture. It will be shown that, in spite of the 
complexity of the QM-1, with its variety of side-effects and 
special conditions, a pleasingly small and uniform set of 


proof rules can be constructed. 


A a 
2 
t 
= 4 = 
- Fepsa 
a 
~ F ‘ 
‘ 
a i 


+. - 3 Se © 


- 


~ 


¥ a?tan® Axe 4 i a 
'MmitéAaivea.s Ue er 2s 
‘Stason paisu ama 


. 
7 _ 


ion = 
os heveval 


1. a 
o 2 
- 


— : —F 7 ane : 


rime tpoIgen se 
Eat ig Soaps, 


a 


nay sd nap. alow Get 


&S 


a4 


> 


om = * 


Acknowledgements 

I wish to thank Dr. Subrata Dasgupta for his help and 
enthusiasm throughout the course of this work. Our many 
discussions, along with his suggestions and criticisms has 
contributed greatly to this research. 

I am also grateful to Dr. John Tartar for his support 
and help in the later stages of this work. 

Further thanks are due to the other members of my 
examining committee, Dr. Lee White, Dr. D. Zissos, and Steve 
Sutphen for their helpful suggestions and comments. I would 
also like to thank Darrell Makarenko and Ken Hruday for 
their comments on an earlier draft of this thesis. 

Finally, I am indebted to my wife Jane, without whose 


love and support this would not have been possible. 


vi 


Bas tsa aid 
zat amaisiziqe. 6a ‘enodae sal 7 ie ewe panes 
siogague eid 263 se¢=eP adet P é, eae 1 

ow atid io sagede ne ; 
yt 30 atedmen isdte eft oF: ovb o78. eines seas 

aveeR Bie .f0e2it .0 .20. . sydd Bed <0 ,sstiinmos pnt 
Slivow.t .efnsamon bas enetigagaed iadg{es. 1£9f3.4902- 
102 yabwsk seX bos ogeetedem Efeaset daadgoeesedid-< 


: pain 
] or Praline 


% ra 


-tieed2 aids to 4)sub Yatitzes ae no egasanon 2 
eecdu juodziw ,enst etiw ym of “Ggddsbai ma it yelienta 0 
eidiaeeg need evet tor bitev efds- s20ggue Bria: 


°F 


Table of Contents 


Chapter 
it MERIC pel Olen Gea ie winin aia Cue ae rates 
2. REVMeweanoesaCkGrOUund: % icin. aise aie eiea 


3S An Overview of S* and S*(QM-1) ....... 


4, A Synopsis of the QM-1 Architecture . 
se AxioOmMatizat1 ONTO f:S#. (OM) ik se eee 
Denim baton eCard CasON hkvi7sebeerera lettre 
DUMRONG We PY DES) ’ os leyerstedehetoledere tel sy cteue 

See sot eUct s Dec laratl Onis 

Deel sPSCUCGOVArTADLES: 1.4. cus ieiecereete 


Sac The Axioms: of -ASSTONMeEME” Ai..c). sere 


5.2.1 Simple Assignment Statement .... 


5.2.2 Expressions in Assignment Statements 


5.2.3 Multiple Assignment Statement ..... 


Someone rol CONStruct Sen. we weeta cesta e sis 
Bowl UPaAralle li Sm seer iererte cits onene te 

Brigee CONGICIONas “Statements e-.:... 

Big Oo -PLOCEGULe StACEMEN ES 2. cic. 7 

5.4 Proof Rules and Axioms for S*#(QM- 

6. Proof of S*(QM-1) Microprograms ..... 
Glee rhe a MUGT INStruce VOM, uteri iccsie sacs 

Bee pee CALLe 1 NStCLUCELONmi. cise tains oiene 

is CONC IIS) OLS Mors pte ara! « abeleia e's Goteeels euetsie ei alrais 
Pema lUat iON LOL (S% © wisie/steleis oste elieiess) os 


eA Further Work eeoeee3so+oete#eeees#nfe#steeeteee 


a 


—_— 


: 7 _— ° 
- @ite2 
a 


7 


1 7 _ 
| .¥; me 


Dvewew és (os eh beeen eee oe 
} - i) a 


r . 


TrTlererrtreT p 295% s oe Sea ees = 
7 ae | ie I)2 
hes 


, ‘ . : e 
Se A “~~ a J 
biti wighiee yo Pee feng wre 


siugvebyesed. Gees : 


att 


£ to eat 2A ee 408. 


e Ts fi ra ff 
eee 4d © 
‘ “ves eso¥-oraeees ‘ vd 
2 et 
saa @ °F e ee eee 8&8 @ @& @ 
. * ss *¢ aie 
e * * * - { 
» 5 ~ 2 
~ a 
‘* ‘ )2 ‘st & 2) 
~ * 
os e664 P sae @ »sVOTQOTO LF 
. 
~ @* ) 
+ * “eer et tee «+ wie Sau TS 


L ‘e0é6nee Cpa teen be eb ewe een enaees 
os 


; . = 
Bs : “ -<stpnnaronct=shs-i a 
yy) ¥ 


ie 06 ae 


on gee tvake 
- ' 


References Sie teteleielsteienel ote ene where ool eler eee e lore wee ale thls elon le te ee 


Papo re Xmeare See P eee eMaN ov erase a oa" ate hel ole chet oualerw eater cue Sie eats & vs he eee 


Salonen 


"I 


; a 


my 


. 


ale) Uae 
_ - a ; -_ : 

ii ai me ah - 
aa 7 7 ) 


tel, D 7 
A/T 
F q ; , 


- 7 


— 


- 
7 
2 oO 


% 


ot la) 


; af 7 ‘ec 
of UY mors 
|  - S 
“meee wyatt 


etathesty se 


List of Figures 


Figure Page 
LeerOMailNanolevel wArchitecture Conarn. ent. 6k. soak asce. 22 
ZeetcontrolePunctwvon of Fail siFarn, tand (Faodcand iNanoword 
RCUIGINGA Lee Rewer chet ch crehe abcPens ch cleledeh cher ch eraleds chats sredetetedcr ats 6 6s vise ns 6 24 
SeertOMe terior iiy: rAddressaMechanism SBacone. Hidels. used. as. 325 


4, Correspondence of Union-with-Selector Type to QM-1 


Mitre hexon 228. badly. cee Ee. usa. OL. RASS aoscasame: wee 
SMC rADUeSHIETEReCombi nation have. ase % A. Sora seas. geoute0 
Gi ere) Bexcc (0) UpRsO Wh lar. o8. em: eracodacd Pal? i4a65. ci 250 


i208 SL een Pe everatrontor MRepeatehoepes.,. 210ng. #10. a. Gaetan. £54 
SmmeOMzG@ iReguster File hs SLerneion. Res. Deen. Gavered. 2h. che. 58 


SeveOMe@eStack Erame and Maskrwords. Joc. 258.; ere t3 Gar a08. 059 


ae 


— 
ee ee Cas 7] ‘*s Th be . 
eae eee 
host: Bas ‘yada : bet fo pe 


sew@6et4 e686 Ea 


*sese@eoeeeea@geeeoeeve ea a 


* ; o.4 ; 
*e@ eee ® 70 J IokremeD . Ji ie 


Chapter 1 

Introduction 
Microprogramming was introduced in 1951 by M.V. Wilkes as a 
technique for implementing the control unit of computer 
Systems. Since then, mostly due to the technological 
advances in hardware and innovations in computer 
architecture, microprogramming has become widely used as a 
cost-effective and systematic technique for control unit 
implementation. Not only has the use of microprogrammming 
increased but recent years have seen a corresponding growth 
in the size and complexity of microcode [Pat77a]. 

In response to these increases, along with a demand for 
added reliability, much attention has been devoted to the 
development of tools and techniques for the verification of 
microcode [Dav80a,IEE81ia]. Since firmware constitutes one of 
the lowest levels in the hierarchical, multilevel structure 
of computer systems, any errors in microcode could have 
serious and costly repercussions on the reliability of all 
higher software levels executed on the machine. 

In a sense, microprogramming has blurred the once clear 
distinction between hardware and software. This 
correspondence between software and firmware has been 
exploited. The evolution of tools and techniques for the 
production of microcode has paralleled similar developments 
in software with the appearance of micro-assemblers followed 
by high level microprogramming languages (HLMLs) and their 


compilers [Bab81a,Das78a,Das80a,Dav80b]. The last fifteen 


iavtpolendes; ed? @ 


179 3950 at 


ie me he 
i ; ‘ znro.z iSsvor 


- Jan 


7" ‘*) is 


2% 2k Tepe Saye baa mY ¢ 
sy en! lien or Oi 


a 


ras jatieapeaes 


wr ane 
/ - Y ~ 4 c. Gia? ve Be 


i oo Ife dno , 

5: ’ igaé 

=] - 

/ “a 4s = “ ow tt { 4 7] - = iz. rj mT aah | si 
| | WA 
+& a si Y =e 9 aa nd civil +19 
» ‘ 774 AG 
5 4 fi c rn 7isies Vid 
| ; ° fe amy 2g — ale 
i ocinmentasgpeeie . 
> - 
7 = 
sVg @ wor aadev 
aA 1 s ba 1é ww v6ws2 to2 nee — 
| ; 5. ot es " ~— 
. 2 Lifoe? Beas 600% Sisal ore oat $99 
oe " a > _ - nw 
3 es 7 i haz = b vlolleveg ad * abooo oie ry 
insess-o3nim lo ssnenmsgige edz a: 
: 
j Mui) 29D6i {ea at anent mranrapenin. La '@ 
Le] al ’ e 
; DG. Sis e08v et e0te att, 62 Cait i) 


7 . 


5 nat ee 


pd a 


" 
7 sia — 


years has seen the introduction of a variety of HLMLs along 
with automated strategies for optimizing and compacting 
microcode [Dav81a,Fis81a,Lan80a,Rid81a,Tok81a]. It is quite 
natural then, in view of these developments, that most of 
the techniques for the verification of microcode are 
adaptations of similar techniques used in software 
verification. 

As in software, microprogram correctness can be 
approached using either formal verification or empirical 
testing. Historically, the most common and easily applied 
approach has been empirical testing. But is testing 
adequate? 

The disadvantages of testing are well-documented in 
research on software testing and similarly apply to firmware 
[Pat76a,Car87a]. Not only is a large proportion of the 
design time spent testing but the infeasibility of 
exhaustive testing restricts it to the detection of errors 
rather than showing their absence. In microprogramming this 
is further compounded by the difficulty in tracing faults 
found in microcode back to the error in the microprogram 
which caused it. These problems which confront testing have 
identified the need for verification techniques which can be 
used in conjunction with HLMLs earlier in the microprogram 
design process. For these reasons, formal verification has 
been seen aS an attractive, alternate approach to the 


microprogram correctness problem. 


‘ 
“ rmhmasein & © 
ba aa ¢: | 


ry 
_ De ma 7 
f hk C “ PRO 
’ 
a5 
S7<0R ti 
- me 
= o - 
. 
i ee 
5 


> 
4 
.~ 
7 f 
. 
| f 
i 
§ A, 
v¢ , 


oy 


me 


to net ant 


a 
cu 
{ 
he aes 
4 
eile 
+ $65 
if 
_ 2 oa 
 @ ie 


on wee Sect 
Tt ei ca 
deitchinmnih 
¢ 


abooore phe. d : 


= _ mnie 
tinge ae t been sma 


a Sm 


Many of the approaches to formal verification directly 
draw upon the program proof techniques initially formalized 
by Floyd [Flo67a] and Hoare [Hoa69a]. The rationale behind 
proofs of programs is that; given assertions concerning the 
State of program variables during execution and a suitable 
deductive system for reasoning about these assertions one 
Can produce a rigorous proof of program correctness. Not 
only can program proving techniques be applied to existing 
programs but it has been convincingly argued by many authors 
[Gri81a,Dij76a] that these techniques can be used to design 
eorpvecb programs: 

Opponents of this radical approach to the design of 
programs argue that: a) it's not feasible for large 
programs, and in general, programs found in the "real 
world", and b) it requires a deductive system which is 
unnatural and cumbersome to use. But on-going work in this 
area has resulted in the development of uniform and simple 
proof rules for many of the constructs appearing in high 
level languages, including those for specifying parallelism. 
Secondly, the simple, algorithmic nature of microprograms 
makes them ideal candidates for formal verification. 

Although many of the language constructs in HLMLs 
appear similar to those in high level languages their 
semantics may be very different. Microprograms - even those 
expressed in high level languages - are inherently machine 
specific [Das80a]. Consequently the formal deductive system 


for languages like PASCAL [Hoa73a] are not sufficient, nor 


i302 9A? 2608; 
ee ee 


ef? odiniesneD anoksyeeas* 


q F jtua g ft no Lay oe<@ 
i 7 
“ct = 5 Yesey ai? bee or oa S92 ses 
a 
_ iwea@e ne -— 
}oar700 mateelg) 12 aaeay apes 
- " £5 oe 
4 ti rc = ez Bisva 
( ~ 
7 
4 i Mos aeed 
, iG 1 S82n5 
“Kh 
‘ & i a +) - ts 
. "se Ve 
‘ P an = 
rig yal : 
& wd _ ~~) 14435 
. er i , : te 
f eniop-om avi .sew.oy eikashotip r9) Bim: La 
» ‘ . 7 5 
avoliaw te < veb oft ni Seaivess 
[ve 
4 - “} ’ Pe Pt ee ’ » 
ima mas b * LA r 
3 ‘ a ror Ff 
i , . - 
® a a ou = » os" «4 
iTIESHOG PSU POR. . 
i 7 i ; 
~ 5 » 7 — | 
a a Gist 7! A .,C a ie | & ta 
= ri + _ «PG Aik w WwImpiM jes tel 
7 
f if g Zz ets i 4 4 - e eceé té 


me re¢ d 9" "ore ab J 4 cei 7 mri 3 “iz na vor pe 


Of .~ 3ss : . 3 ue I00 Lot Pac anaes mit a 


in some cases, necessary in the microprogramming domain. The 
various conditions which arise in the host' 
micro-architecture must be taken into account when one 
considers microcode verification. For example, the data path 
structure in typical host machines can cause diverse 
Side-effects to be generated in the execution of the most 
innocuous micro-operations. 

The incorporation of machine-specific information into 
the constructs of a language has been identified as a major 
problem in the design of HLMLs [Dav80a,Das80a] so it is not 
Surprising that formally representing the semantics of these 
constructs is a major challenge in the field of microprogram 
verification. Although there have been a number of proposals 
for both formally describing the semantics of HLMLs along 
with different proof techniques, there are only a few actual 
experimental results reported in the literature. The most 
notable of these has been the IBM Microcode Certification 
System by Carter et al [Car78a] uSing symbolic simulation 
and the STRUM system by Patterson [Pat77a] using the 
inductive-assertion method. In particular, Patterson's work 
has clearly illustrated the feasibility of using proof rules 


and axioms in a deductive system for proving microprograms. 


' To avoid any terminological confusion the machine which 
executes a microprogram shall be referred to as the host 
machine (or architecture) and the architecture which a 
microprogram emulates the target machine (or architecture). 
Note, however, that in the literature on compilers and 
portability, the machine for which the compiler generates 
code or to which a system is proved is referred to as the 
target machine. Thus, the "host" machine to an emulator 
writer is the "target" machine to the compiler writer! 


vis 


n 


or 


——. evi ety 


a. 


- 


_ 1 


% 


10: edie: “ami09) =? ab4 


_ 


Ager a$eh ads 


~~ =e - * 
—) a <7 
- > 
X 
nee t9 
70) ti 
ae 
' 
Fs ‘ 
“ and 
5 
od é 


eg eT a vet felr. 
“hid ur ag rae 


Pa eer 
.’ Tete te Cele 44s 


— 


ste yhaKs Pree <r 


7 : 
o ad o 
rar ye 
. =\ 
a 1 
e727 9 
a 
erie 
¢ 
—_ r ? 


oo 
> oauiéce 10h9-8 


2 


‘a we idan LA) | noe 26g: 70088 Si | 


am 
i to aol 


a LS 


iy Seen 


A PRER 1c alam gs 


ad3 stip atten ove. 


“4iroceb ytlamsot “a 
- 
acustinipes odie tiered Ff 


rn 
i Qaticchey ft edluees Seane rte 


A = 
i 
- } 9 
hh : 4 4 ; bf 


a 2 a Jena rel rece y2 Mm nS . 
> ni Jen notarsesa-sv i: 
eit a 7 as 7 
ana ene Sasattaulli ylrssis 
rm re 

nota ge: avi 2 auth sb a b aime 

. t+ J oN a 
iii 


1 hl 


[20 


ot 


a 
ig 


The general aim of this thesis is to demonstrate how 
machine specific information can be incorporated into a 
uniform, and relatively easy to use, deductive system 
Supporting the design of correct microprograms. It is also 
hoped that this thesis will provide some insight into the 
design of host machines and microprogramming languages which 
Support verification. 

More specifically, this thesis shows the construction 
and use of a formal deductive system for the HLML, 
S*(QM-1).? Developed is a Hoare Logic based on a formal 
axiomatic definition of S*(QM-1). 

Furthermore, this thesis forms a part of the S*(QM-1) 
project at the University of Alberta. Related work has 
included, the instantiation of S* to the QM-1 [Kla81a], the 
compaction of microcode produced from S*(QM-1) [Rid81a], and 
the specification of a C-oriented architecture, QM-C 
[Ola82a] in this language. In addition to the broader aims, 
the goal of this thesis in regards to the S*(QM-1) project 
was to evaluate the schema S* with respect to verification 
by investigating the verifiability of S*(QM-1) programs. 

The rest of this thesis iS organized as follows. In 
chapter 2 the more recent microcode verification systems and 
proposals are reviewed. Also, the main differences between 
these efforts and the work contained in this thesis are 


outlined. Since the main thrust of this work concerns 


2 This language is an instantiation of the machine 
independent microprogramming schema S* for the nanolevel 
architecture of the Nanodata QM-1. 


Saves yoem t2aA 
: 72 otadagiaa 
em rn} tC ok Br 


rind sid 34 358 
al 7 

a ; | i 
, +s | \ Pty Pett on? yes a} 
Ss 
rat 


> » ea at ' BDOIOY ; ane Ye es ” 


” P . : Fa os - 
a < Pi TOT.2.6 ° nonbauis ‘2 Spe}! 


PoYVensl ardagz cif eee 


“ 
ts 
> 
~ 
i 
‘ay 
—) 
ha 


it io MS)-3eA TORS Stl: cee et 
} +2 ett B Soceaane none 


programs written in S*(QM-1), the nature of the 
microprogramming language schema S* and the idea of 
instantiation of S* to the QM-1 are recapitulated in chapter 
3. Chapter 4 provides a brief overview of the QM-1 
architecture. 

The main results are considered in chapter 5, where the 
important issues concerning the axiomatization of S*(QM-1) 
are discussed. Chapter 6 demonstrates how the axioms and 
proof rules, developed in the preceeding chapter, can be 
used in the proof of correctness of two different and 
non-trival nanoprograms. Finally chapter 7 assesses the work 
reported here and points out some directions for further 
work. 

The entire formal description of S*(QM-1) is contained 
in a second document submitted as a technical report 
[Wag83a]. For the sake of completeness, parts of the report 
contain material already discussed in the main body of the 


thesis. 


7 
i ae 
: eo - antl Gad bre 


Chapter 2 
Review and Background 

In this chapter several different strategies for formal 

verification are considered with brief descriptions of 

actual or proposed firmware verification systems using these 
strategies. The different approaches to verification can be 
classified by the type of formal specification used to 
describe the semantics of the microprogramming language. The 
semantics of the language can be described denotationally, 
operationally, or axiomatically. 

e denotational - language constructs are described as 
semantic functions over the domain of values which can 
be assumed by data objects in the language. 

@ operational - the Semantics are described in terms of 
the more elementary actions which they invoke upon 
execution. 

e axiomatic - axioms and rules of inference are used to 
describe the properties of constructs in the language. 

Verification techniques based on each of these three types 

of specifications are presented in the following paragraphs. 

A verification technique proposed by Blinkle and 

Budkowski [Bli76a] uses a denotational description of the 

semantics of a language. In this method, a microprogram is 

divided into modules whose binary input/output relation is 
defined as a set of semantic functions. The microprogram, 
viewed aS a combination and functional composition of these 


modules, is solved algebraically as a system of fixed-point 


ie 
I 
hd 
Pudi 
TES 


oc“ 7 


oT fa tahoe ei 
2/155, 5 oe Gast | - ‘wie 
nee > i ~~ 
1, Vea 
iene 
hnges eb 


om ag >? " ; as Beco - ‘ 
: aa 7 7 
he. y 


x 
eons ae! 2 Ons RAO Ys 
= 
“7 Laer 
© od ne ook thw aw © i glad tihal 
Fe, 
4 = 5 we A ty < 
t ‘ = mea 5 { =£ 
J iam i OM Sree sAs oss 
bi Sag FDS RaeS3Q S78 3h 
ha =a ae 
ae, | > m a ae : pe, ine 7 — 
J3aGls 2 (ak Loass? Ot 


3 Tt isnordsu0hep & 2oau {enti 

eee borgem efdg ah <debuprnl o as etme 
‘ ae \ _ ; - 

JUQSUO\JOGNL Yienid, epoteesiybon o7ct fe 
: ‘ 7 
. 


' :* _ 7 
h $i!) .2nNorsaihiy Syne ee a 
ee 
2 te 


7 


ly ; 
y os 1 +s 30 fs 
: a ; 7 
, ; te 7 


iO lenetts ag bass pea 
_ 


1475 nl Soe 
a ca : = Jieshesd 


7 _ -_ 
iy ay 


equations. One finally obtains an input/output relation for 
the entire microprogram. This method has been successfully 
tested on a number of microprograms written for a floating 
porntrunat. 

A verification system proposed by Dembinski and 
Budkowski [Dem78a] is based upon the Blinkle-Budkowski 
method and uses a language called MIDDLE (Microprogramming 
Design and Description Language) and a subset of it, 
A-MIDDLE (Algorithmic MIDDLE). The authors of this system 
suggest that the only difference between firmware and 
software is that firmware is directly linked to the hardware 
executing it. Therefore, using MIDDLE and A-MIDDLE, one can 
in a step-wise manner abstract the purely 
machine-independent behavior from the microcode. This can 
then be proved correct by uSing existing software 
verification techniques. 

MIDDLE consists of low level constructs which specify 
selection, branching, synchronous, and asynchronous 
assignment. The declaration section in MIDDLE gives a 
functional description of the hardware components and allows 
the declaration of higher level functions as combinations of 
previously defined functions. In the proof itself a set of 
well-defined transformations are used to change a MIDDLE 
microprogram into a purely algorithmic A-MIDDLE program 
after which the Blinkle-Budkowski method is applied to 


verify the A-MIDDLE program. 


oie 
# 
i 


_ way? ve 


a 


502 ci* rset 


yr ie is ite 
wy an | 7 ™ 


ele 7 4. _ - 
dio ee Pama Sede he 


‘ + L ¥ G a Sc 


gfiz x9 rpreu Aa ptoe ees Senn 


an ey 
fade etogy tg issu 
- 


“sb TOD val ingle 2avetera aed sega al 


HVE SPOS. gs er: niet omn al: (woh 


INGIM) OT) noteasa omims eine 
aie © 75 sift 2d - Pe @i* a> 
| , rate 3h bs 
- c si ; "Ft ‘+2 a? ¢ a, a ij 2 A 
~oits & ! ) = Ps j ‘i t a eieci. oO lates 
ot i" 
ody ert’ at sheksanud forte a 


| rome i 
27s enoi tein OtSAst2 


4 
sv 
2 


meer: im ie bis a dant 
— 


Notice that this method is basically a bottom-up 
system. Starting with the microcode and description of the 
host architecture, one abStracts away the machine specific 
properties of the microprogram. Although the authors claim 
that this system could also be used in a top-down manner for 
the design of microcode, it remains to be demonstrated that 
in would in fact generate efficient microcode. 

Symbolic Simulation is the most widely used 
verification technique based on an operational specification 
of the language. This techniques replaces the input data of 
a program by symbols denoting fixed but unknown quantities, 
and then simulates the execution of the program on these 
symbols. The semantics of the language are defined by the 
Simulator in the symbolic execution of the program. This 
approach has been used in the IBM Microcode Verification 
System (MCS) developed by Carter et aj] [Car78a]. 

The MCS system is based on symbolic simulation and 
Milner's [Mil71a] technique for proving the equivalence of 
programs. In this method both the behavior of the intended 
microprogram and architectural description of the host 
machine is specified in an APL-like language called LSS. 
Then the completely automated MCS system executes both the 
behavioral description of the microcode and the actual 
microcode on the architectural description. The MCS system 
simplifies and then compares the execution of the two 


simulations proving their equivalence. 


a 


: Pie: oe : etal 
iO i] %y { . ies ee: eUpiniss? ners a! 


5 = 


; 7 w 
isupingget andar <a oie 


piizegabazt ot nie xd mentor 
Any 
| 3fF 25 Oe UORRS Sea» pasvatoinhe: es 


HI aartineias ont vated 


peaefoaava efy- nk tox, 


: pais Om 
5 ii Sud LeGeet. 6 a0 2nd it : 


flodmy2 10 BSBegVer wesage 29M od 
pHivoIg 20h supeniipe? lies teed: * thers Lf 
eter o Bo a) oe | A re ‘GQ Dons a bits okie y Game 


tgimtgesb- [ano epesdidors ee a: 
’ J 


— 
> 
L& «dhl * Pe 24 gr Ss 
’ i 
sieve 29M Ssssmosrs yleseiggo> ed» 


iA SbODA IM SHS) Anak iqlasea isacl 
am tenaciSeiiidats aay no . On ¥ 
ca SAY eee aD nets walk we 
ASL SCT ivpe: aia ahitwosg, ane ==§ 


le 
i‘ ae 

roe 

- a 


This system was successfully used to verify microcode 
for the NASA Standard Spaceborn Computer-2 and uncovered a 
number of errors. However, Carter, has noted that work is 
Still required on the Simplification of expressions arising 
in the symbolic execution and the proof that these 
expressions are equivalent. More recent work in this area 
has been in the development of an ISPS* based microprogram 
Simulation system developed by Crocker [Cro80a] at ISI 
(Information Sciences Institute). But as yet few results 
have appeared in the literature. 

An interesting result related to simulation and 
microcode verification has been reported by Oakley [0ak79a] 
at CMU. He has used symbolic simulation to obtain 
higher-level non-procedural descriptions from ISPS 
descriptions of the architecture. It seems plausible that 
this system could be used to generate non-procedural 
descriptions of microprograms. 

The final approach to verification, and the one used in 
this thesis, is based upon an axiomatic description of the 
semantics of the language. The axioms and rules of inference 
given in the description provide the basis for a deductive 
system used to construct proofs of correctness of 
microprograms. 

| The deductive system, or Hoare Logic, consists of 
formulas in the predicate calculus along with formulas {P} § 
{Q} where P, Q are predicates and S is some legal program 


> ISPS is a procedural architecture description language 
derived from ISP [Bel71a] by Barbacci [Bar82a]. 


aievoow Bie <-yethe 1D 


7 


= 


fazeujes 36 noi tesk — 


on ce 
it jeds touw otig ‘thie os 


mi ax Ise 2:04 
f +h v ot 
a P 
a ey 
Cc 
‘7 
ms A? bis ~*< 
' a” t . i. 
-) 1eAaen. (eo Metayea! fF 
toi io. eaedaget 
= 
Ber c4€0% rie ; fo df 7D Facui? - 
ss ' 7 - 
ro Jizvavernae «cin Gi. Ofte ai ehaods ¢ 
y : ve sf Ep a. Pa 36 Poisn ain 
‘4 6% Yom oL4¢g 1% 1a ars nl x 
Let e2¢ 729 bs | le ee 2 eT bo) ag Geey, "ey 3 °% 
C- a : 
Wy me 
ol 
= 4H ’ a tw] G9LEVS evs anaes th 
he he an , - c ° 7 i ee ae | = 
igiv pnoia au lugiss stanibesgg one hi 
Lapel amoa et 2 Bre sarmuiiieng boa. 0 08 
; ig tsee® wads tote fargbasess, ws 
- leStret] S208 ye fartien) ¢ 


t 


statement or statements. The formula {P} S {Q} is to be read 
as: 1f£ the state of the machine is such that assertion P is 
true before execution of S then the execution of S leads to 
a state such that Q is true when (and only if) S terminates. 
This is a statement of partial correctness. A proof of total 
correctness requires, in addition, a proof that § 
terminates. P and Q are often called the pre-condition and 
post-condition, respectively of the statement S. 

In addition, a Hoare Logic consists of inference rules 
from the predicate calculus along with rules of inference 
which describe the effects of the execution of composite 
Statements in the language. These inferences (proof rules) 


are usually denoted as 


which states that whenever the premises H,, H2, ... H,» are 
true then H is also true. The alternative notation 

(H,;, & Hz & ... & H, » H) may also be used to mean to same 
thing. Predicates (or assertions) consist of formulas with a 
meaningful interpretation with respect to the state of the 
underlying abstract machine. For instance the assertion 
language may be founded on the mathematical system of finite 


binary arithmetic. 


re 


a 


AOL we S25 


q@w 


Wt 364 -attidase 19872 


s = = - 

(6a 19 £ oO 6a6. 4 
23pm | a. 

2 be Vitus i 29 me MESA 

a i ae ; 
+thod-S246H | s — thie 


ahold alse tes asain 


: 
“al 


as 
O-8a SBMA baa: oi ; 
ey , +5.) 


my — 7] ; fi a ‘ 3 Vena "i - tend 


mal 


= 


sé -. , -~ 
J a4 MUR2 Obs ai ree 
: ( ™~ : 
_ Ld : ~ a 7 
< a (a - at » - . | A¢ 
} 


a 
Ws 
ryt 
i 4+) 
ue 
ty 
it 
] —_ 
e 
‘> 
- 
cf 
oe 


7 


t 
' 
| 
& 
¢ 
ua 
= 
1 | 
a & 
&2 
é¢ 
y- a 
a: 
bes 
a 


sriem atg iT? Sab ng? oo: ale t ¥] F-1' 


_. 
€ 


a 


AF 


Given the pre- and post-conditions, P and Q, one can, 
in a step-wise fashion, construct valid sequences of 
statements S for which {P} S {Q} can be shown to be true. An 
obvious limitation of this method is that the proof is only 
ase Gocdvassithetipre- and) post “condi ti ons.e@mhatiaisy a proof, 
{P} M {Q} of a microprogram M is simply a statement that M 
is consistent with respect to its pre- and post-conditions. 
Furthermore, an axiomatization of the language must describe 
the change of state (of all declared variables in the 
program) caused by S upon compiling and executing S on the 
host machine. 

Once given an axiomatic definition of the language 
there are a number of different ways to proceed with the 
actual proof. The most common approach is the 
induct ive-assertion method formulated originally by Floyd 
[Flo67a] and Hoare [Hoa72a]. In this technique, assertions 
describing the desired state of the program at particular 
points in its execution are included in the program. A 
program is said to be verified, with respect to the 
assertions, if it can be shown that for every path between 
these assertions the initial assertion together with the 
program imply the final assertion. The implications between 
these two assertions are called verification conditions or 
VC "ss 

A verification system using the inductive-assertion 
technique is STRUM developed by Patterson at UCLA. STRUM is 


a high level microprogramming language oriented primarily to 


Ae | 


« 
- 


,A8> 966 wii 
? ae -_ ty ’ 
a0 &@ iatieie eda 
’ 
tt Sut? « >i avode 


lw * 
- ] 4* i ’ 
4 « 
« 
/ 
oo" i a 1% 
- > 
‘ rire 
4 * 
- ~* 1 
r ‘ . 
‘ 1. ‘ a4 \. 
, i] 
~ - ~ 7) 
F 
4 oT) bw 
- ¢ 
s _ c WW « 
4 he 
a J s y MM 
_ « - a a] . : q 
j + 
4 é 5 { te s Pe ee | i 


sofas 
4 badatevab Mons a 


= eB | ‘Be° sp oe 


« a , 
- 14 


OD TORY 2 ya Setuss 


- 
i eee 
Tite 

= ‘ 

w 


an hitousmt of 

1A, 

i» . , 7 -_ 
As nevie srnd v6 


thi to redmyh 4 976 87 
we taom att . dou ty 
5 bortenm 151 er we pes 
‘0s0H) a 24¢ 
Iage DSetia od 
I 6 ADiay pany e: 
eiiltary ad os biee et 
. - e 2 in 
fian60, NGS 2: 4s. .,9nord 
s Llatdgenf ods eanoidttoees af 
Sones ae A aris wt 
oe lenis 7 42 
sllen 875 anpitese 
iP 
i” 
caf oor forseai! - 


“ontnmoreergea 
a 


13 


the Burroughs Interpreter (the D machine). In verifying 
STRUM programs, intermediate assertions are passed to a 
Verification Condition Generator which automatically uses 
the axioms and proof rules for STRUM to prove that the 
microprogram does indeed satisfy the intermediate 
assertions. This system was used to formally verify a 1700 
line microprogram emulating a Hewlett-Packard HP-2115. 

As mentioned in chapter 1 the proof technique used in 
this thesis is similar to the inductive-assertion method 
except that it is a constructive method for the design of 
correct programs rather than a method for proving the 
correctness of existing microprograms. The difference 
between the two methods is that the only assertions assumed 
true are the initial and final assertions for the entire 
program. 

If constructive proof techniques are to be successful 
it 1S necessary that the microprogrammer have an elegant and 
easy to use formal deductive system from which he can can 
derive proofs of program correctness. The formation of an 
axiomatic definition of S*(QM-1) is quite similar in nature 
to the formalization of STRUM, referred to earlier. The most 
important differences between this work and that of 
Patterson are as follows. 

1. STRUM was oriented towards the Burroughs Interpreter 
while S*(QM-1) is specifically tailored to a somewhat 
different architecture, namely the QM-1. 


2. S* and therefore, any language instantiated from it, 


et 


: > 
fgny 2a ver Smear porg 
‘ wy > a _ 

Lm: F ae. seine 96 eae 
Si peo ws en ated 


7 
teiibntleal 


i+ « + weroog ' 
er Pe, (ei22ous 


i\jmwbso. ! herve? sau ety 


sires. 
IgnIUSITOs aeSAposg I oe a * 


a2 sbiaeod Seger lions sh MOaTR. 

Uiashtenege st “Wo)e8 st 

"4 EN at esgic *neset tf 
i> oe ‘SS. a ~ n, 

Pen | wat —— 7% eroisreity Sts e 

. 7 

oh 


my | 


14 


contains a richer set of data structuring capabilities 
than STRUM. It also contains a number of constructs used 
for expressing low-level parallelism appropriate for 
monophase, polyphase, and multicycle timing schemes. 
STRUM's support for parallelism is relatively simple. 
The feature known as residual contro] [Fly71a] present 
in the QM-1 poses rather unique problems in the 
axiomatization of S*(QM-1). Since residual control is 
present in several other machines [Kor75a,Kra80a,Str78a] 
it is hoped that a solution to this problem will be 
useful in a wider context than for the QM-1. 

The highly horizontal nature of the QM-1 raises issues 
concerning side-effects which must be reflected in the 
axioms and proof rules. Neither STRUM nor any other 
verification system has addressed this issue. 

At a more general level the aim of this thesis was to 
test the viability of the schema S* with respect to 


verification. 


aa 
rT, ddén re: ant 
mene oe 


Exe 
a tu2 Smal aoe 
ia 


ps os ae 
aeiv7. 1oo%G 
oe 


2 
vac Gs 4 o¢ | ae & i-msisa pa ° 
ie i | int 
- - 
3 3 ) 3 ? Laven Lewons 
\ @ 2 ‘= 7 
7 
2 y #2 e arta Be. ueebicehy ope oR 
7 = ar 
+" 7 
/ Pa. “) ean 
WAM 
—_ > 
sd > 
of 7 


= a 
i Ie a) ‘ 
. : - 


oa sie 


Chapter 3 


An Overview of S* and S#*(QM-1) 


The design of S* as originally conceived [Das78a,Das80a] was 


influenced primarily by two forces. On the one hand there 


was a deSire to utilize many of the (then) current 


principles of programming language design and methodology. 


On the other hand S* was to be formulated so that it: 


(he 


PX, 


could be instantiated with minimal effort; 

would facilitate the design, verification, and 
understanding of well-structured yet efficient 
microprograms; 

would allow the representation of microprograms at 
varying levels of abstraction; and 

would permit microprograms to be written, verified and 
understood without reference to the internal 


organization of the control unit. 


Basically, the schema has the following features: 


A 


2 


The primitive data types bit and sequence and a set of 

structured data types including, array, tuple, (which is 

identical to the Pascal record) and stack. 

A set of simple statements which may be used to 

represent micro-operations - i.e. the most primitive, 

indivisible units available to the microprogrammer. The 

set of simple statements includes: 

a. a generic assignment, the syntax and semantics of 
which is not specified in S* - their valid forms and 


meanings are assumed to be machine-dependent and are 


15 


Je 


io £6 ahisdca eric 
} iv. 
> 4 7 2 i iri arg 
e j iH << ’ , + eevee 
i> j a ‘o- a ig 3 as 


: : ‘ - 
Pe?) we Tt TOLTS23aC0-olf ia Iriel oe uy b 


» 


iw iies thesia 


bs {Goavces. (enest ods os Ladicaeh 


i AAS 3 672 slamie ie 3164 


a. ee aT 7 . 
2 aa! SOUS BLES S220 ei ciete 
: 7 


Sseteslont alii and sauna wlqate i» soa 
ASryR Att , Sree glean ain 
: 7 
~ £€20n Herticage a Pra 
_ | 

eu amas > & Spo 


16 


determined during instantiation; 
b. the simple se/ection statement 
i OeGne 26S: O|'|eCoasasien) | arar ii: Cacetsa. fa 
where the C,;'s denote testable conditions and the 
S;'S are Simple statements (other than selections). 
Here again, the construct merely provides a template 
for valid selections - the legal testable conditions 
C,;'s and statements S, are machine-dependent and are 
determined during instantiation; 
Gumecnesprocedureucall statements gand 
dae Gheeqotor 
3. A set of structured statements that allow for the 
composition of larger program entities. Most of these 
are adaptations of Pascal-like statements and, of 
course, sequential composition. In addition, there exist 
Pheecocyc le and stcycle constructs=for, the parallel 
composition of statements. 
4, The synonym declaration statement which allows the 
programmer to arbitrarily rename previously declared 


data objects or parts thereof. 


As previously noted, the syntax and semantics of the 
constructs in S* are only partially defined. An 
instantiation of the schema S* to a particular host machine, 
"MM speeifically*tailorsethewconstructssinyS* to M. The 
fully defined language thus derived would contain the 


machine dependent information necessary for the efficient 


& 
_ 


A > - 
ce - ia) >.4 As ft 
an 


si? agtito) 22 sors as uses 


oe ee 


ines tin? 


fel Sante, nent oh t aimee of 


7 1 
to 3 oe - 
. a ll 
a 
— 
| 
ve s3 2 “4 
j e 9 j ¥\ 
a . 
a on 
J 
ft ry be , ; 
J # « ~ 
i] 4 ¢ 4 i om, > t. _ 
’ ny 


is Ww ode iota k aet eUleak 


Mn 


~y ‘san « 
~ sa 2 aint | 
 ] . ~, 
| = 4* y ' L_* zt 
4 ¥ » | ~~“ > 
f «< 5 ta &< 


oe we a i 
HMAICo? a 419 @ 
by 


* a ay we 
pavprel Se 


: seselen 2Gieeseint. ios = entid: 
a) Se 


A, 


utilization of the micro-architecture. The instantiation 

process itself can be divided into three stages. 

1. The formation of a data declaration section. Such 
pre-defined declarations serve to bind actual machine 
locations to data objects in the language. 

2. The determination of the exact form and meaning of 
assignments and expressions. This includes binding S* 
Operators to particular hardware devices and deciding, 
with respect to the previously declared data objects, 
what will constitute a valid assignment or expression. 

3. the determination of the type of constructs which will 
be available for controlling the flow of the 
microprograms. This will depend on the control 
mechanisms available in the machine and, in the case of 
selection mechanisms, those machine states that are 
testable. 

Such an instantiation was carried out by Klassen [Kla81a] 

for the QM-1, resulting in the language S*(QM-1). 

The primary objective in the instantiation of S*(QM-1) 
was, within the framework of S*, to design S*(QM-1) so that 
it would be able to be compiled into efficient object code. 
In view of this goal, Klassen's work defines the syntax of 
S*(QM-1) and operationally describes the semantics of the 
language in terms of the nanoprimitive operations invoked 
upon execution. The present work, builds upon this 


definition of S*(QM-1) by making the language verifiable. 


. 4 
OKs sag 


jam: ed CF ages 4 op 


7 : 7 
asy Yo hokianiniss 


Ly 
vind 207 sidatiovs 


[we ecaT 


.annrgo7goral 


nfdeiievs onahns 
- 


-_ 
7D 


f 


y 


‘uehen 
| fiir: 
+ ih eatennsnaty he de 


eri =fue6s yk +0 06 ‘32 


: a 
vitgetdo yramé iq s 


f Pr ow aia ay? ord aisiziw 
sida ed biuow 


¢ 30 sidehseset sue 

ae _ 

inege1q =_? nes Uooms £ 
35 


= 


pe 


7 


ee 


As previously outlined, the formation of an axiomatic 
definition of the language is essential to applying proof 
techniques to the verification of S#*#(QM-1) programs: An 
axiomatization of the language was formed according to the 
following two constraints. First, important to the 
application of a constructive proof technique, is the 
definition of a simple set of axioms with the fewest 
possible qualifications. Therefore, wherever feasible, the 
semantics were embedded into the syntax of the language. Not 
only is purely syntactic verification preferable over proofs 
of semantic correctness [Sto77a] but applying this principle 
greatly simplifies the formal semantics. 

Example 1. 

Consider an ALU operation in a host machine which resets the 
left and right inputs (ail, air, respectively) to zero. If 
these side-effects are not explicitly bound to the ALU 
operation then the ALU operation and its side effects can be 
expressed by the statement sequence; 


alu_result := alu_expression; 


However, alternately the semantics of the ALU operation and 
its side-effects could be embedded directly into the syntax 
by means of the multiple assignment statement: 


alu result,ail,air := alu_expression,0,0 


’ 
[aA6, 
rs 


“Sy. .€a0% 


7 ea eee ms git : 
a ys 33 ‘fe Yet? 
i 


. 


a 


io ve 
TaOt Ii lenge 
anal ms 
iyo" ? Setthed« o2 ’ 
1 a _ lls 7 Pp 


& ia atj *) This wigs a | 


<9 7 « 


: ' 
‘ 4 ve ; 
ot he) cron idpds. Be a 
¥ 7) 
= 06 S76 @3 36 1de-sbii oe 
. s. +e 


ua ‘3 jemat t nepkee a 
_ _ = 

: a eee 

“4 bentexqze 


* - a 
aij rh &: ar? 
j as 


- 


19 


secondly, the present instantiation of S*(QM-1) defines 
the nano-architecture, data objects, and actions, that must 
be visible to the programmer in order to produce efficient 
object code from S*(QM-1) source. In formalizing the 
language any modifications required to S*(QM-1) in order to 
Support verification must not detract from the need to 


produce efficient object code. 


a 
ia em (hw) bv itp ie 


— me; 


a ee 


2rmng } gus “Saini =, a@o 


aki 7 y 


Chapter 4 

A Synopsis of the QM-1 Architecture 
In view of the discussions in the preceding chapters on the 
design and axiomatization of S*(QM-1) it is important to 
describe the architecture of the QM-1 and the features of it 
which had considerable impact on this work. The Nanodata 
QM-1 iS a uSer-microprogrammable general emulation engine 
with two rather distinctive features: a two Jevel control 
store and extensive use of residual control. 

The two level control store consists of a higher level 
control store and a lower level nanostore. The 
micro-instructions in control store may interpret the 
conventional machine instructions which reside in main 
store. These micro-instructions are 18-bit vertical words 
and have no capacity for specifying concurrent operations. 
Micro-instructions are, in turn, interpreted by highly 
horizontal nano-instructions contained in nanostore. At this 
lower level one can fully utilize the high degree of 
parallelism possible between nano-operations. 

Since the primary goal of S*(QM-1) was to test as 
stringently as possible the theoretical ideas underlying 
instantiation, verification, and code compaction, the QM-1 
nanolevel architecture was chosen as the testbed for this 
work. It is at this level, with the distinctive features of 
the QM-1 and high degree of parallelism available that the 


more interesting problems in microprogramming arise. 


20 


, 
= , — 
1 { 


{ ~$tr a bY or a 
; t< load oi 


x 7 : ; 
“1 eit FOG IGO2o =- a 
- 7 " ag 


7 7 = 
= - ww - 
use ouPIahi oe! a 
_ oe 


an. I sow. ev ianesae 5 


% 
opinge kt enotisusdent- 
itowrGer? entdve wt Lpnolsn 
i i. 14 oIvia saad? 4 


7 


163 yeioegso: ani 
oie 
438 ancitsagz! nf-o1d 


ww 


; a [ yer . 
ie | PT SHOT TDi 12 al-eRet- — as} 
* ' ; ' , - 
(lisa Qiiwt ne> ep been ewe 
ged: sidiseog weilel ere 
fd 7 = = 
“¥O)e 20 Ieop eaamizg Sd7 santa 
| ; are 

sive iz «4 pldisgog ve ylineené 
oo bas ,Apigaoliisey jnokistan 
rocot> 266 sivdoe stdors tovs 


aid? te Bi 3t Ss 


be 


21 


The QM-1 nanolevel architecture can logically be viewed 
as consisting of a 6-bit domain and an 18-bit domain with 
data path widths of 6-bits and 18-bits respectively. A block 
Structured diagram of the major hardware components of the 
QM-1 nano-architecture visible to the S*(QM-1) programmer is 
given in Fig. 1. Notice that the two domains intersect at 
the instruction register and that the thirty-two general 
purpose local store registers serve as a central location 
for routing values between many of the locations and devices 
in the 18-bit domain. The 6-bit domain, besides providing 
support for the storage and manipulation of 6-bit words, 
acts also as a residual control for the control of many of 
the transfers and transformations occurring in the 18-bit 
domain. 

The idea of residual control originally proposed by 
Flynn and Rosin [Fly71a], rests on the observation that in 
emulating a target architecture control information once 
"Set up" remains relatively invariant for significant 
periods of time. Thus, instead of holding this information 
in the microword (or, in case of the QM-1, in the nanoword), 
it can be placed in special registers which can remain 
invariant for the execution of several microwords. By 
reducing the amount of control information that needs to be 
held in the micro(nano)word its width can be significantly 


reduced. 


i: 7 —_ 
- 7 
FR 
- 
a, 
is 
bowsty of yvilés 
1 
i P ‘a 4 4 
; { 4 7, 
2 « 
: 
. 
7 


eC - a9 2 igs 
P % 


Bats Sn ee 


f 
(i ae 


2 ; o 
. “B.48T . he anor tte 3 
al se SO FQ > 7 -¢s a oa 


nant 
Tele Aeui 


“~ “s 
oh 
» 4 BJ 
. ; rs 
8 , 
7 O's 
= : +4 
d ei av au 
<j 4 3s 
oy — « <2 
f ‘ : i - > ifr a 
/ e- Z AS te; 
' = Ae ~ 
. ‘ « » ; 
~ 
: r. © ae) rs 
* - , ot) a 
he 4 eo 4619 


ty bee: tale igs ne 


i os omer i ; 


ia 
: stpte 6208 


— 


> 


: ah 
ter 6 26 os 


‘ Bae asta 
sabi | 
iS]. peeet 
‘jas «& 
ax sndena’ 
vomits 0 ab 
a) HOMIES bin 
ni beoalg od 


JHUOMS 


i oa 
inyoxsim one nt 


22 


18—bit DOMAIN 


| control 
store |«——|/index |<—————— 
| alu External | 
Score 


Local 
store 


t IO | 

(32 Interface 

| | main <—»| registers) | 
store Sa ee 

| r epeutiag_nAsn= = ] shifter comb.]| | 


| [ievester wietas ]-— 
32 


| F-store 


registers 
| 
ALU-F |< 
| 


Figure 1. QM-1 Nanolevel Architecture 


The most common use of residual contro] in the QM-1 is 
the selection of local store (or external store) registers 


for input or output and the selection of the operation to be 


23 


performed by functional units. For example the F-store 
registers "fail? ,gande "fair" selectithesleftseand right 
inputs to the ALU from local store while "faod" determines 
which local store register is connected to the ALU output 
bus. The function performed by the ALU is partially 
determined by the value of yet another residual control 
register, the K-vector-fieldikalc". (Fig. 2) 

There exists two types of residual control in the QM-1. 
The F-store registers which remain set until explicitly 
changed via nanoprogram control and K-vector fields which 
form part of the executing nanoword. These K-vector fields 
are considered part of residual control because of the 
manner in which a nanoword is executed in the QM-1. A 
nanoword in nanostore is 360 bits wide and is divided into 
five 72-bit subwords (Fig. 2). On execution of a nanoword 
the first of these subwords, called the K-vector, remains 
active throughout the execution of each of the remaining 
subwords called T-vectors. Each T-vector has an identical 
format and each are activated in turn, one after another. 
Thus, from a logical point of view, a combination of the 
K-vector and the active T-vector constitutes a 
nano-instruction. Certain of these K-vector fields are not 
only set or reset on activation of a new nanoword but can 
also be explicitly changed via nanoprogram control. 

In summary, the control function in the QM-1 is quite 
varied and rests partially in F-store registers which remain 


Stable, K-vector fields remaining stable throughout 


Pt a! = be 


ial a eee i ie : Si 
: tes 7s —_ — - 5 TA ‘apa 7 a vr) 
¥ 2 


me ve B i a al 4 4 oog8 
ww. £2 wn -: 
« aiset ht ry fal | af 
| fi pari oe 
ibies4 aa te om " 
Paet ur, 
ismaa: Sendo 
ig Lo3 Treat esdds Bf 
| Naess | sas 
OPT qnstuce ah die 
ee 
os cae Fo 23 
@ : os = 
Md J2ue onsn 
~~ 
at e7 
Pir 
: d = ‘s ’ on) ay 
- 
at F Awe: 


TEX alelelen: ts) iy bapiteity qisis me 


iMG ads of no ietoried pee Sine ms 
’ — =” = -_—— | a! ae ms 
- 2 aes 


24 


local store reg. tocadlestore. . req. 


one] [a a 


| ! 


18=b2 Ce ALU «—kalc,cih 


| 

\/ 
sco [ 

| 


local store reg. 


K TA We as T4 
vector vector vector vector vector 


Bigurce 2. e¢ontro! Function of Fail, Fair, and Faod ‘and 
Nanoword Format 


the execution of a nanoword, and finally in T-vector fields 
which provides what Kornerup and Shriver [Kor75a] termed 
immediate control. 

Sequencing between nanowords in the QM-1 is handled by 
a special priority address mechanism. The address of the 
next nanoword to be executed could be either of the 
following: one of 30 interrupt addresses encoded into 
certain external store registers, a branch address contained 


in the executing nanoword, or an address supplied by the 


if ¥iienz: 16 ,oTevo0g .4 
~ 


- fo 
lear 
ni (Mg ed? nt ebrononen anbwded phisneupee 


; se Oath 


h 


, -5 oui 2 eines: 4 1 saaTtk. *) ® qtr: os qt > af 
e an 2g 
} Sentste 6d blues 22 FUTSKS od o7 £ 
i" 2 7 
beboons esesserbhe TREES - io” in 
: - er “ ; 7 
: y 
e3bee donesd s pamberiz sh 
1 
Soiloque agethbe an za «6 


ENS 


level 
| [asanch saaress 
2 
; Interrupt 
: Addresses 
31 
22 [Renoprogian comer 


Figure 3. QM-1 Priority Address Mechanism 


Nanoprogram counter (NPC). 

Depending on certain flags set in the executing 
nanoword each of the addresses in Fig. 3 can become active. 
The priority address mechanism will select the active 
address with the lowest priority as the address of the next 
nanoword to be executed. Interrupts become active only if 
they are pending’ and the allow-interrupts flag has been set 
in the executing nanoword. The address assigned to the 
highest priority level, the NPC, is always active and either 
re-executes the present nanoword, or the next nanoword in 


sequence. 


* The interrupt has been enabled and has sensed a 50ns pulse 
on its signal line. 


en = ae « oe) 


ee 


. or 


oe -<~¢ 


i. Pree 


4am 


at 2 9S no enibanged 
wubS< eft Xe fone 5 


<< 
ee |S 


— 


-_ 


en easibbo 424 


viseef ytixotag 


 T970wOO MexO 


> mm 


Chapter 5 
Axiomatization of S*(QM-1) 

This chapter discusses the key issues which arose in the 
formation of an axiomatic definition of S*(QM-1). Each of 
the three stages in the instantiation of S* to the QM-1 
along with their effect on the verification of S*(QM-1) code 
is discussed. Axioms and proof rules are given which 
describe the semantics of language constructs according to 
the criteria presented in chapter 3. 

The following notation is introduced to describe the 


semantics of the language constructs in S*(QM-1). 


Definition: The logical formula P[x/y] denotes substitution 
of y for all free occurences of x in P. This corresponds to 
the more uSual Hoare notation where x is the superscript of 
P and y the subscript of P. 

Definition:  Thedformula: P[ix4/y,]ixz/y2).silxa/yn] denotes 
the simultaneous substitution of all free occurences of the 
variables x,, Xz, «+. Xn in P by the expressions jy, 
yoyreey, ,erespectively.sNote thatmethetvariabbesix7, eka, .5% 
xX, May only be substituted once, and occurences of some x; 
inoexpressions yq, Y2,.+-Yn are not replaced. Furthermore, 
the substitution is not defined if the variables x,, X2, ... 
xpwanetnotidastinct< 

Definition: Substitution formulas containing brackets 
denote repeated simultaneous substitutions performed on the 


inner-most bracketed variables first. For example the 


26 


- 
t 
ach 4 ; 1 
{seem . (T=) 
wf — ° 
~ Le” r 
t-MC 
‘ 
tc 
"5 1 
G 
! Mi 
" > 
- é 
4 Da 


_ 
10909 anlumso7 itis ions: tes ir] 
ysausiseadue supenasivale & HegS3 9S 
a a8 ; 
Y devi! eektisher Secedestd acm 


42 lis to (ole igetins auo90 Vn 


so Sas ,soro Bede itedae ad yino a 
, 4 


9c) if Benrdes jon as rants edua. ; 


ie 
ait! F108 eet $70) pir et 


a a 

a¢ : sce 
oe 1% * ak **-. ,ot <eX%- este 

hd a 

do tet safe .@lavitoowaen , Vs 
- : - 7 

_ 

SIS oXeseeet rt enoleesiq%e 


—a & 
.. 


PD réniseis sion ot 


zu 


formula (P[x;/y:])[x2/y2] denotes substitution of x, by y; 
Followedsbyesubstitutrontofox.sbyuysurNoteathatvinethis case 
variables can be substituted more than once. In the previous 
example if y; contains the variable x, then yz will be 


subst@tutedeiornx; ninty,< 


5.1 Data Declaration 

In general, the purpose of the declaration section is 
to introduce named objects and to designate their 
properties. Since S*(QM-1) is machine specific, data objects 
.are predefined and correspond to actual locations in the 
QM-1. The binding of data objects to machine locations 
greatly affects verification because it defines the state of 
the machine. The axioms and rules of inference for the 
language must describe the effects of execution of language 
constructs upon these data objects. 

It was the declaration of the residual control 
registers in the QM-1 which had the major impact on the 
axiomatization of the language. Via local store 31 and other 
sources, these registers can be loaded with values which are 
not known prior to execution, thereby allowing their control 
function to be determined dynamically during the execution 
of the program. Thus, if left ‘undeclared, the programmer is 
prevented from exploiting the parallelism which is available 
in the QM-1 by the explicit control of these registers. One 
effect of the need to declare residual control registers was 


the introduction of new constructs in the language. 


vs. 


Re Pia aL 
'¥ vd .«x fo fo ae t2 ial - 
“oe _ 
s@e5 eid? ai sail 990 os O-4 tdi . 
; : of om 7 
auoiverq sd3al vestie mad. atom Dt 
‘be 


: iy 
7 io mhegaeg. gid jis 


Ca 


i 


oni 3 ieanpreeh of Agere oetda § beman 9: 


rey MJEP GIO D Sne tat : 
ae i a 
- e3ch 10 paibai 


> dows 8 5 =e 
a ean av 


- — 
- not T 
7 + . * i: 
+ eo. 
1 3 iP. - 
~ ¢ 
- { => - 19 
' Sim > « , 
4 o — 2S « 3 & 
> . ¢ 
‘ > 
( Si} 2 4295 tty ae | 


o bas 1a3@ f[eool a:V .soavprei “82 to nebeeei 


ioldw ee iv diiwv Asfiisol. od wen. exedeies: ‘eeed3 yo 


@ 
f - : se ns ie i A 7 
3,45 Oi 7O1.LlS yor (erica Pris | iJ Bax? o2? 7oOLIg awor Aa 


sis polauh yilsoimanyh bent mreteb ed. o2 notton 


i 
f 


steo%g os betel - shau' s2eL 22 eon -mBIQOTg e A; 


siielisve af Apidw wetlelisisa a3 pnizioiqxs ae ev 
: f 


_ fo 
eieteipe1 Lloranes Leubiesx stsinab of & Sm of: 
; ., a 2 : 
peupnel aft ni atousdenep wed. a0 ' 
. barra, 


iD 
5 
) 


ee 


28 


5.1.1 New Types 

An important property of structured data types are the 
selection operations associated with the type. As originally 
designed in S*, the actual access mechanism of the storage 
device corresponding to a data object of some structured 
type is not visible to the programmer. For instance, for an 
object of type array, elements of the array are referenced 
by specifying the required element, e.g. local store[31]. 
The actual mechanism selecting this location has not been 
specified. In the case of storage devices in the QM-1 whose 
elements are selected by residual control registers, because 
of their visibility to the programmer it is necessary that 
the associated access mechanism be explicitly described as 
part of the type. In effect, this is a considerably lower 
level of description, Since it actually specifies part of 
the underlying data path structure of the QM-1. 

The following two types are used in S*(QM-1) for this 
purpose: 
The array-with-pointer which was already present in S*, and 
an entirely new type union-with-selector. These types are 
Similar to the array and tuple respectively, except that the 
selection operation corresponds to the actual access 
mechanism used in the QM-1 and is completely visible to the 
programmer. 


The general forms of these declarations are as follows: 


\ 


a" 


er: sim asqyy step basuzt 
7 


r 


| 
iLanipd sa GA 95 wis: ae Oe hi 
' : 7 a 
2 sift (to “methadser 
sé > 
J I272 s9 20 3s 


1¢ ;22 e76 636 ana @ +a So whize: aq 
. i ary i 
. levee fast ips sun 2 oe orl ea 
7 as 


pe be inodyes 


@ 


ag > 
od oe ni 


one 
ile sien eearse be | 
7 7 a — 
is al 
(a4 i eM 
: . g 


- , 
*” 
io Wie 
* +¥ 
- + - - + _ = 
«6 & - - %. — 


29 


a) <id,;> : array[<dimension>] of <type> with <id> 

,<id>}* t:<type>s5 
where the with ... clause specifies identifiers of the only 
legal index variables for the array <id,>. That is, the 
selection of the array element to be accessed is determined 


solely by values of one of the index variables. 


Example 2 


In the QM-1 a source of input data for the control store is 
one of 64 "logical"*® local store registers, and this would 
be determined by the setting of the 6-bit residual control 
register fcid. This relationship may be denoted by the 
declarations 

type ls_register = seq [17..0] bit 

control _ store data : array [0..63] of ls_register 

| with fcid 

Given this declaration the only legal reference to the above 
Structure (say in an assignment statement) would be 


Wcontropsstoneidatalicid]”. 


b) <id,> = selléctor {<id,>} t:<type>+ 

> The notation {x}* denotes zero or more instances of the 
entity x while tx+ denotes zero or one instance of entity x. 
‘ If the source specified by fcid is greater than 31 the 
control store data bus is connected to a source of all ones. 
This is also true for all F-store registers selecting local 
store registers for output. Therefore, "logically", the set 
of local store registers consists of 32 registers and a set 
of 32 non-existent registers whose value is all ones. 


, 


7 7 


104 24 <b — 
(<yBe>] z03>00L@) 


<n 


Ls 


30 


<id> :; <type> 
{<id> : <type>}* 
endun 

Here <id,> acts as a selector of one of the locations 
enclosed in the union clause. Thus, the union-with-selector 
type models a hardware multiplexor (Fig. 4). However it is 
illegal to reference the selector (<id,>) explicitly. 
Rather, it is side-effected upon reference to a location 
pesidemihnerunion. lf the i-th; (i120) location 1s referenced, 
then <id,> 18 set to 1as a side-effect. 
The locations within a union can only be of primitive types 
bit or seg. Structured types when present are considered to 


be decomposed into primitive elements. 


Example 3 


The control store input source of Example 2 can also be 
declared as: 
CoOneLolystore data ~: selector sicid 
union 
Tocalestore™ @warraypus.c (le orelseregister 
all_ ones SparraylOe. on) Of source all ones 
endun 
Given this declaration, a legal reference to this structure 
ise'consrolestore data.fcid.localestore| 12)". ‘Such a 


reference would, as a side-effect, set fcid to the value 12. 


OF 


+: fod wits) boneteds 
| nae wa wot teat 


; b> Catat 
te ——— 

ca 

. SIGS J870% 

— 
a 
© 2 f » 
4 c ne so 


7 ; 


S@emv4 G2 F 
wy rh 
ray B APAgiW 


We’ SHOR! 4o2e comin 


‘a8 ree 7 28 
ft a 


hs ~ 
ab @1018_lo cD 
: a? : 


31 


selector <id> 


' 


M 

U 

L «—————. <id> 

zi «——————- <id> Components of 

I the 
ain P % Sxpanced. union clause 

L 

E 

X «——— <id> 

E 

R 


Figure 4. Correspondence of Union-with-Selector Type to QM-1 
Multiplexor 


In fact, the object nanocode corresponding to this reference 
would tfirst Set fcid to 12, and then use this value in fcild 
Eopaccess= local score. INOte that, ther reference 

"control store source.fcid.local_store[fcid]" would be 


illegal. 


In summary, then, the union-with-selector data type allows 
the control function of F registers to be specified while 
the array-with-pointer allows references to storage 


locations using the preset value of the F register. 


Si.2osotruce. «Declaration 

Unlike type declarations in strongly typed languages 
like PASCAL, S* and S*(QM-1) allow a data object to be of 
more than one type (i.e. can be a multitype object). It is 


useful in HLMLs to allow different views of the same storage 


; 
i ll ‘ = -& = A 
e792 ec of isfacoss 4 70 tale 


“ug SO3 qo 2 acyV 


e 


So: ewolls 303% 13 


nef Bagys ylpnerta nt engi sevetoeb eae oa tint 


wos ae tne ¢ m1 — 
(toerdo enygitiun ee ed Asp 8. 3) ages t 


vis 3986 $2q .: of3 afew 3 


4 mr: Vv 4 ) «4 bie | ole Ps 
. in 
7 L ahs ipa. a2 Swe _© ‘ 


ee 
al Sau a 
rotanenloet “sovste* 


er 


ary 


‘gns18222b voris pe 


} eae 


D -- - 


32 


device. For example, in the QM-1 it is convenient to view 
local store registers not only as an array of registers but 
also as a structure consisting of varied components. (i.e. 
instruction register, index register, etc.) The notion of 
multityped variables was expanded upon by allowing the 
declaration of new variables as combinations of existing 
predeclared variables. This was necessary because of the 
introduction of the array-with-pointer and 
union-with-selector types. The selection mechanisms in the 
QM-1 correspond not only to a single storage device but also 
to different combinations of them. 

The part of the declaration which defines new selection 
mechanisms on predeclared locations is prefixed by the 
keyword struct (structure). A struct declaration consists 
only of structured types whose components are either an 
existing data object or a variable name which itself has 
been declared in a struct declaration. In the case of 
multityped declarations at least one declared types must 
consist of predeclared variable names. 

Example 4 
Servet controisstorendata 
elatrayrd 02063 Jobseregisrerrwith)fcid 


selector fcid 


union 
localistorers atrayai@Ocnoienulo£ lspreguster 
all_ones s array [ 0..31 ] of source_all_ones 


endun 


weiv of Sie ne: et at 


2recaipad Ye. uat36 fs = 


_ 
\ . y ” 1 ion 
)) .esnenogmea Belisw te 


-- 


ben Tustet 7 
,) 
\ es is Par: 
¢erte edg oe nota 
y Pa 
al ee 
AF Ge ex 2 soraalaenat . 
pay 
ig 5 -" i a0 2a broqees30 
id tov gimmie midmon 4 | tS 
Bea eo: a us 
pum v.84 + aD ons 30 3 eq edt ‘ 
‘pies 
a om py 
seioeberg s0 amainadoee 
- ESey: ¢ 


tents 5 a. bersie 
sh eno femnl 26 Bwolser i sat 


S@2zeloas Sd Yo tate 


m ig30 oe be ; 


35 


This declaration defines the new access method associated 
with the type array-with-pointer to the combination of the 


two predeclared arrays, local_store and all ones. 


5.1.3 Pseudovariables 

Unlike locations which retain their value until 
explicitly changed there exist locations in the QM-1 which 
are unstable and transitory in nature. These locations are 
declared as pSeudovariables and are prefixed by the keyword 
pvar rather than var in the predefined declaration section 
of S*(QM-1) programs. 

Pseudovariables correspond to two kinds of transient 
locations in the the QM-1. The first, are the K-vector 
fields which form part of residual control - since these 
fields are part of the executing nanoword their values are 
reset from one nanoword to the next. The second, are 
locations corresponding to the output buses of functional 
units in the QM-1 whose inputs are being continuously 
propagated through the unit. (i.e. ALU, Shifter, Index-ALU) 
These locations are considered unstable since the input to 
these devices are local store registers which are selected 
by residual control registers whose values may not be known 
prior to execution. 

The transient nature of pseudovariables implies that no 
long term assumptions can be made as to their value. This 


causes several problems in attempting to prove program 


o 


cs 


- ’ ~ sf 


ae Te 


Ps sialiniaien 


, 


2 “ bnitzen ae07™ 


— zh ; 
ad? oz es = 


faa 
ear ees 
— % os -2_Lonet 
¥ 


as. . 3 
Oe] 
 . 


a 


ita sbifasot ‘ods 
| tae Pia 
ates pines bee ace 


: a 7 
sea *nfiease? : 


bate pid ‘se 


, 


c =] Py Tuba J MOR > 
poIg ony Hs Y tac? 
FAR —— 7 
ie 
« » ilies | 


oo P24 - ee 434 
— ; 
: ® Say w i | 
pds. 3 ; ote abd 
4 a 
} 277¢ a , bs 


= 


; (oe 
; +, oF Isz2I00 Brooks 
2 Pa — 
el’ a : = 
“My 29 ni 
fo «Dall Jity 8f7 aiguoun? Se tapa 


7% rf) #2 TSOE S T as Py & rot 4in36f 


— 1 


- @ my 


- 
33259 pom ates, nrg 
- 7 - -_ 
ad ne | not agmu ma 
° . he 


wa 


34 


segments in which they appear. It can however be guaranteed, 
by an S*(QM-1) compiler, that once a psSeudovariable has been 
Gefined it will remain stable at least until the termination 
of the statement following it - after which it is necessary 
to assume that its value is undefined. In effect, this 
couples together the statement defining the state of the 
pseudovariable with the statement using its value.’ 
Example 5. 

pyvansatufoutabusyiaseqi fiz: e9]obit 

alu-out_bus s=yrealuffair])+ :lealulfail]; 


local_store[faod] := alu_out_bus 


Formally, pseudovariables can be considered to be 
implicitly side-effected upon execution of an S*(QM-1) 
statement. Thus, for all pre-conditions P, with assertions 
containing pseudovariables, the following must hold for the 


post-condition Q of the statement: 


O[PVAR/undefined value] > Q (T1) 


where PVAR denotes any pseudovariable appearing in the 
pre-condition P. The simple if statement*® and all statements 


insideva cocycle (cf 5(S8iadhtarepexceptions to this rule. 


7 For a discussion of the effect of coupling statements on 
microcode compaction see [Rid81a,Fis81a]. 
* A simple if is an if statement where the body of the if 


contains only a single assignment, goto, return, or cocycle 
statement. 


‘ 5 oes 
4.36 steze 623 palintish 2astes 


a _ 


* 7 en 


, chun . 
. PB , 7} - ——— or & 
: Dae: U Sfeeedate Sto Arie car 
is Al ¢ eS okt 
7 
355i ‘ 
ok)? tiee.-2° cud 


Peemay 

ip 

awh 
- 
d 


; - =" 
t ~ i bs =* i wl aba 
a 
"J 543 267 t 


@ ry 
a] 
om = ai * 
~~ io — 7 
a 
, 3 f wo —— | 
= \ 
. St! Fi 1 16606 \4AVG.. 
e 
> 
» P - 
" a i ei ee a | - 9 1m ~iranar ie? = a ao 
esqqe sidsixzarotueeg yma essonab 
’ 
~~ oo to 
t - t : ~ 
f 
a 
’ ; E 60° 3 
_ = + e% 
' ¥ + vw 


39 


Pseudovariables appearing in these statements are not 


side-effected and remain defined. 


5.2 The Axioms of Assignment 

In S* the assignment statement is used to model data 
transfers within the machine. Due mainly to the declarations 
of residual control registers the assignment statement in 
S*(QM-1) is not free from side-effects. Thus, it was 
necessary for an axiomatization of the language to 
incorporate these side-effects into the definition of 
S*(QM-1). The manner in which they could be embedded into 
formal semantics is greatly affected by the decisions made 
on both, the form of the assignments and expressions in the 
language and also their correspondence to actual machine 
operations. The following sections classify the types of 
side-effects which occur in assignment statements and 


formally describes their semantics. 


5.2.1 Simple Assignment Statement 
The simple assignment statement 
x TRiRy. 


where x,y are locations satisfies the axiom: 


{ (P[SEL/V])[x/y]} (A1) 
X 3= y 


aE) 


7 * 7 -_ 7 
SAMGOrs 4 He 


Ms 
7 J 
£ iw 4 nas 
a +3 eM 
® PACRSTE Et 
aq = 7O oy 
- ¢ 
- ot, rg 
é —s * 7 - wt 
$ we « 
+ — ua * © 


tieds asditanel Ci 
) 


i jnemete72 InsmnciaereA ait 4 


Jhaeneress sawmapiave eigmie oT 


36 


where SEL denotes all selector locations side-effected by 
reference (if any) to a union-with-selector type, and V 
denotes the set of values assigned to the selectors. That 
is, P[SEL/V] is equivalent to P[sel,/v,][sel./v2].... The 
brackets indicate that the side-effects occur before the 
actual transfer. 

Example 6 

Let "control store data” be declared as in Example 4, and 
let P be the assertion. 

{control_store[cs_addr] = 


control store data.fcid.local store[15] & fcid=15} 


Then by axiom (A1) the following formula is true: 
{P[fcid/15][control store[cs_ addr] 
/control_ store data.fcid.local store[15]]} 
control store[cs addr] := 
control store data.fcid.local_store[15] 


1, 


On substitution, this reduces to 
{ TRUE} 
control _store[cs addr] := 
control store data.fcid.local_store[15] 


oe 


A necessary condition for any transfer to occur is the 


oT svafigtiadoedl. Ay fale @ 
ata ato ied 2us2e sae 


pa OP he . 


2 aie) 9 a 


bane .6 elggent nit ace Seta >a’ eS siete: 


seunxy ef sivietc i ivtailet ens (fag 


od ee at a 


(21 Jevoge. Lacol, 6193 .ateb. o7ot>c_lorgasz 


Od essussy eros ,NoLe 
IBuRT | 


i i 
=: [tbbs, 29) ea6: 


—_) 
fh 


( }ss074_tamet -6i58.adeb_erota_loxraod - 
tas 


ae 


existence of a direct data path’ between the source and sink 
locations of the assignment. For each such statement in an 
S*(QM-1) program, there must also exist a mapping of the 
statement to nanoprimitive control fields. If this condition 
is not satisfied then the statement is not compilable and a 


mapping error occurs upon compilation. 


5.2.2 Expressions in Assignment Statements 
The second class of assignments are of the form 
X3=E 
where E iS an expression. 

As noted in chapter 4, a second group of residual 
control registers - the K vector fields - are part of every 
nanoword. During the execution of a nanoword each T vector 
is activated while the K vector remains active throughout. 
Fields in the K vector specify: operations performed by the 
18-bit functional units, mask values for testing, and 
constants for injection into the 6-bit domain. An expression 
E in an S*(QM-1) program, containing an operator bound to 
some functional unit will side-effect the relevant K vector 
fields by modifying or selecting the function to be 
performed. 

A second source of side-effects are the output lines of 
devices in the QM-1 declared as pseudovariables. The 


> A direct data path is a path in the QM-1 taking input 
values to an output location without moving data through 
intermediate locations declared as variables in S*(QM-1). 
Notice, however, that the value of a pseudovariable (cf. 
section 5.1.3) may in fact be affected by the transfer. 


of Way c4rluv seem (ein lencidans9 gid 
hy | é _ 


; : , ae? VPs 
eneh.s23-38 sd¢ o9ng Hatiosatat 102 esnad 

‘ Hoge : - ~*~ 
2 oo AS eolnlelae9 manger (if -MD) ez so | 
Sea : ae 
ieteitong? | 


38 


evaluation of an expression using these devices sets the 
value of the corresponding pseudovariable to the value of 
the expression. 
Expression evaluation is the major source of side-effects in 
S*(QM-1). 
Example 7 
Consider the expression 

shit infftsid] t<<s(5) 
This will perform a single left logical shift of 5 positions 
on shft_in[fsid] (i.e. local _store[fsid]) and side effect 
the K vector fields kshc (which encodes the shift function) 
and ksha (which encodes the shift amount). Also the shifter 


output bus will be set to the value of the expression. 


Example 8. 


S*(QM-1) also allows an operation to be indirectly 
Specified. For instance 

shft_in[fsid] (kshc) (ksha) 
is again, a shift expression where the type and amount of 
the shift depends on the values of kshc and ksha. The only 
sade-estect an thissexpressronawall, beetheasetting,ofathe 


shifter output bus. 


In comparing Examples 7 and 8 note that the latter 
expression is at a "lower" level than the former. Thus, 
there is a trade-off between the level of expressions and 


the presence or absence of side-effects. 


Fa"), . Oe 
ad es opt is-abie 6 eorex 


(elarrt torah oy By | 
anoliigzeg ¢ 30 siidte Lestpol shod Uightx a ne iw @ 
gostis shic tow ((hietjaxese8 Sat ah (ote l —_ 
(notjonge$ 33 2 of9 eebocae Astie? ea shistt roszev as 
isdtide ez ofléA .\ Snweme, SPide sae ‘sehoons dvtdvl. eA 


ulsy of3 of 398 sd itiw ewe 3uq 
i 4a- 2) oe 


> os “ An 
,<NeTt2SsiIor> of ID 6 


» - & ' "3 


witoeiiimi dd. o: 16789. ae awe fie mata are 
eonssant 20% bait 
beded) (adea) (bietiei side 


‘ 


to dewomn boa ogy edd eisdw aciegesqee Jtide. - aisee. 
yioo sfT .ered bre afeA to a ads no whneanh: Stine-a 


=i2 39 parities edd ad Iliv nolaaeagss gidi nb 42533: 
: DRA J ; 

aud tuqiuo : 3idi 

veers 

Mi a) 


: i 7 Usie af 
weesei e439. Jar? ajon a bas v seigansa prize ! 


: 

2007 , seed elt osis ‘Lovet Wy al" -@ ds: ahes sven 
eat A - = —_ 
bas snotengaqne te Loves od3 nees om 7° pel 


| 7 ai i Sh ih in 


e o356%;32 > |. 
* et hird are yen : nee 


7 Mg niece - 


39 


S*(QM-1) also permits complex expressions of the form 
(expr,) expr, 

where the expressions are evaluated inside-out. Such 

expressions correspond to directly connected functional 

units. In the QM-1, the ALU and the shifter can operate 

independently or as a single unit performing double shifts 

on the output of the ALU and the shifter input (Fig. 5). 

Example 9; 

The expression 

(igetul faititrgaluftairdieshition[fisid]: 1<<d(5) 

specifies a double shift on the ALU output and the local 


store register pointed to by fsid. 


The axiom for assignments containing expressions is: 


{P([SEL/V,][CNTR/V2][MOD/V;][MASK/V,][OUT/E,;])[x/E]} (A2) 


where CNTR denotes K vector fields which are side-effected 
as a result of the operations and Vz denotes the encoded 
values of these operations. MOD denotes any set of modifier 
fields side-effected by the operators specified in the 
expression and V3; defines the corresponding modifier values 
appearing in E. MASK denotes the K-field side-effected in 


the evaluation of the expression if it is a boolean 


~. 


vie n 
«pO . ~ a he 
wir G * juo-ahi 


si 


_ t aes 
vt 7 a -re 


Set boston Leys 


_ 
S = ”, 2 - 7 
pijaqys Des Tanhes YesoSs4e" 
’ Py 


t 


ae 


- “i an 


al 


= A eon 


i { ; > ey. 2 
4a 7 Saif cv \o3 


40 


AIL AIR SED 


Figure 5. ALU-SHIFTER Combination 


expression testing some condition in the QM-1 (cf. section 

5.3.2), and V4, defines its corresponding mask value. Finally 

OUT denotes any pseudovariables (corresponding to output 

buses of devices used in E) which are side-effected in the 

evaluation of the expression and E; denotes its 

corresponding expression. 

Example 10. 

Let P denote the assertion: 

{fsod.local store[15]=fsid.local_store[13] l<<s(5) & 
kshc=k,o & ksha=5 & faod=15 & fsid=13} 

where ky is a binary (or equivalent integer) valued 

constant, then, by axiom (A2) the following is true: 

{P[faod/15][fsid/13][kshc/ko] 

[shft_out_bus/fsid.local_store[13] 1<<s(5)] 


[fsod.local store[15]/fsid.local_store[13] l<<s(5)]} 


nee sine 


rene “s cece 
* _— ic 
noksoes .2>) TWO sda nf not] SOAR aeoR enksees ee 


a 


: J 
"ee 


qiisnid .eviav seem gpeibaeqse1103 eff genties 4V Buna ne beh 
tugive o8 pniSacgeezies) 2eldsigpvobueeg yna eed ® rhe 
edt ai Sstsetie-sbhia e14 doidw Ui gi beey geotveb ms ve 
#ti, 2egdneh .A Sne notagengze: si3) to. netyen 
-fotaesz0x%9 peiba 
Dts 
inokiaseas eds: szoreb a ja 
& (2) arrt rhtiedose: rasotiBseual®t Texosse Lasol | 
(6tebisl 4 @!=bos? 2 G-sriet, a gheoted °° —- (ite 
Seuviav (xepsgni tnaleviupeete) aenid sai ea 
78u32 86 paiwolin? edt SA)imobxse sili sista al bd 
pcsheen done hapnees! : Bary : 
[{apaemd (Ct Jerse, | | a\eud_ wold! dehy 
(Litlex>. (Ot iesede Tasotyt I ° Beal +60 


4) 


Fsod.local_store[15] := fsid.local_store[13] 1<<s(5) 
{P} 


For convenience, the side-effects for expressions 
[SEL/V, ] [CNTR/V2][MOD/V3;][MASK/V, ][OUT/E,;], will be denoted 


Simply as [EXPR]. 


5.2.3 Multiple Assignment Statement 

There are Situations in the QM-1 where the action of 
functional units result in side-effects on other locations. 
For example, a write to control store also sets the control 
store output bus to the value being written. Such actions 
can be described using the multiple assignment statement 


which, in S*(QM-1), is of the form: 


where x,, X2 are variables (or pseudovariables) and E,, E,; 


are valid S*(QM-1) expressions. 


Example 11. 


control _store[cs_addr],cs_output_bus := 


control source data[fcid] 


This same statement can be used to specify swapping of 


values of certain locations in a single time step.'°® 

‘® In the QM-1, a 7-step designates a single step of 
Nanoprogram execution and will, generally speaking, consist 
of the parallel execution of some set of nano-operations 
issued from a single T vector. The duration of a T-step is 
usually 80 nanoseconds (a "T period") although for certain 
purposes, this may be stretched under program control to 
last for two T periods. All nano-operations are classified 
as either Jeading edge or trailing edge according to whether 


Pe ae 


7 


he _ a, : ; 
(2) eo>t “Cepia 


¢ 
“e 
1 e 
ro ' 
é > se 2S Swe 
‘ r 
a ae: ’ 
° 
r + 
~ ' 
- a) << 
~ . 
‘ 4 
wd the G 
4 


42 


esgtufeidika s=tkaipicnd 
The validity of this statement rests on certain 
transfer-delay characteristics of the QM-1. 


The axiom for the multiple assignment statement is: 


{P[EXPR,][EXPR2][x,/E,][x2/E2]} (A3) 
Xi,X%2 8= B,,EB:2 


bP 


Example 12. 
fisid=2 &9ka=3} -Esid,ka::= kayfisid ka=2 &ofsid=3} 


where -(ka=2 & hfisid=3).l[fsid/kallka/Estd): = Gka=3 & fPsid=2) 


5.3 Control Constructs 

The following sections discuss the effect of 
instantiation on describing the semantics of control 
constructs in S*(QM-1). Also included is a discussion on the 


need for a parallel construct. 


5.3.1 Parallelism 

An important aspect in the design of S*(QM-1) was to 
take advantage of the high degree of parallelism available 
in the QM-1. The major source of parallelism in the 18-bit 
domain of the QM-1 is the ability to simultaneously gate 
values in and out of local store (and to a lesser degree 


'°(cont'd)the functions they define take effect at the 
beginning or the end, respectively, of the T step. 


" 
bs od 


ieLisreq . aed 


ma i [silesad ' 


43 


external store). Unfortunately, attempting to utilize this 
ability created a number of problems in the compaction of 
S*(QM-1) code. In particular, because the input/output to 
local store is controlled by F-store registers whose values 
may not be known prior to execution, data interactions (i.e. 
conflicts) were possible. So as not to seriously degrade the 
compaction of S*(QM-1) code it was assumed that certain of 
these interactions would not occur. However, Rideout 
[Rid81a] does conclude that the introduction of new 
sequencing constructs could significantly improve 
compaction. In view of these conclusions and the necessity 
of ensuring that data interactions do not occur the parallel 
operator, 8, is introduced into S*(QM-1). 
The parallel composition of two statements 
$1282 

specifies that the behavior of S,, Sz iS independent of the 
order in which they are executed. The statement following 
S,8%S2, begins execution only after both S, and Sz terminate. 

The basic condition which must be satisfied for the 
parallel composition of two statements is that they be 
interference-free. Formally, according to the Owicki-Gries 
[Owi76a] rules for the parallel execution of statements, the 
interference-free condition is defined as follows: 
Definition: Statement: S" = with pre-condition P" is 
interference-free from statement S with pre- and 
post-conditions P, Q, respectively if: 


NG APIUCA Ose S! {oO} 


Z ~~ * 
ise 
iw 
a 
"'y 


| oe 
ner | ang ites ; 
7 iv 


ted 


= 
‘ 


44 


SB GutP tea biShaiP} 


The proof rule for parallel composition is: 
{P,}S,{0,3, {P2}S2{0.}, interference-free (P1) 
iPie& PwheSa4Ssel@i cm Oz} 


where interference-free implies that S, is interference free 
from Sz and vice-versa. 

This is not the only parallelism which is possible in 
S*(QM-1). Also, instantiated from S*, is the cocycle 
Statement. Unlike the parallel composition of statements the 
cocycle statement specifies the concurrent execution of all 
statements appearing in the construct. This concurrent 
execution 1s ensured by the requirement that, to be 
compilable, the control fields initiating the actions 
specified by the statements in the cocycle must be encoded 
into a single T-vector and its corresponding K-vector. 
Formally, since this construct is actually a compiler 


directive the proof rule is given as: 
{P} $,0S260...0S, {Q} (P2) 
{P} cocycle S,0S26...68S, coend {Q} 


where S,6S26...0S, denotes some sequence of parallel, "2", 


and sequential, ";" operators. 


| »- ve 
. 7 ON — n 
| re Nae 
ee 
(ta), ooti-eonstalsedad vhs 


xg ? {<o a Gi FS 2 


9812 sanetelisini.2i.,2 sad2 << 


ni eldtageq 2: -doidw nz cgcotemempambeal sonal ts 
‘BSloyz0o sd? ai \,*2 maw vetaianggeni comment ts 
ef3 adnemsisia io noisleogmos ever c) as) eeikow sae 
ile 0 moijucexs tsetTysRo0: ef? aRepege Joemesede 
$Aexiusnen efdY.t502Ieneg adaat ‘bri raeqgs. 8 f 
3a OF ,Jety jnsmeitupes sad Yd beavers wf noite 
enoites. add potieitin: -abieRy doxsaen adt-. men 
boboons ed teum- eldyno7 siz oi eee om? (ws Orit 
e162 09V~-A.. Pn ihanoges 2305 e274 Bae oszeyeT sionis s 
tveliqmoo s yilavsos «i SouTiieéo eis Sonis -vitem 
328 favio Sb gigs teosg.adz svi 


= 
2a 


(Sq) [O} «29...922e8 Gad 


j On 


"a" \{ellersq to sonecpes-emom, geaoneh. 4a8 


, CP 


45 


5.3.2 Conditional Statements 

Like pseudovariables, testable locations in the QM-1 
are unstable. Unlike the former, however, test conditions 
are not declared in the data declaration part of the program 
but are part of the language itself in the form of test 
expressions. Each legal test expression is bound to a 
particular machine condition. 
Example 14. 
The machine condition OVERFLOW resulting from an ALU 
operation is defined by the S*(QM-1) test expression: 


LOCAL OVERFLOW of (local_store[fail]+local_store[fair]) 


Test conditions in the QM-1 fall into three categories: 

1. the "LOCAL" conditions generated from ALU and shift 
operations - CARRY, SIGN, OVERFLOW, RESULT, SHB, SLB 
(the latter denoting the high and low order bits of the 
shifter output bus); 

2. These same conditions saved as GLOBAL conditions in a 
special F register (fist); and 

3. SPECIAL conditions such as F_REG_ ZERO, MS_ BUSY and 
MS DATA. The latter, for example, is set to 1 if a main 
store read or write iS in progress. 

In evaluating a test expression (of the form shown in 
Example 14, say) additional side effects may occur because 
of the 6-bit K vector fields ks, kt, and kKx which are used 
as masks for testing the local, global, and special 


conditions, respectively. The mask for local condition, for 


46 


instance, is constructed by placing 1's in the bits 
corresponding to the conditions tested and zero elsewhere. 
The mask and the test condition are ANDed together with a 1 
returned if the result is true, 0 otherwise. 

Let "mask sel" denote one of the keywords LOCAL, 
GLOBAL, SPECIAL and let "MASK" denote the pseudovariable 
(i.e. ks, kx, kt) side-effected by the evaluation of the 
test expression B. Then the proof rules for the if, while, 


and repeat statements are as follows. 
P[MASK/V][EXPR], {P&BIS{Q}, P&7B=0 (ci 


{P} if (mask sel B of (E)) = § fi {Q} 


P[MASK/V][EXPR], {P&B}S{P[MASK/V][EXPR]} REE, 


{P} while mask sel B of (E) do S od {P&B} 


{P}S{Q[MASK/V][EXPR]}, Q&7B>P (C3) 
{P} repeat S until mask_sel B of (E) {Q&B} 
5.3.3 Procedure Statements 


There are three types of procedures which may be 


declared in S*(QM-1), instruction, subroutine, and 


As » ak aia 


ee 
esi e623 @ 
-srevdente & . se eet 


ts daiw sadcgiee Ranitie 
ja brsedtso 6; as 
AN abrowest o42-8p @ 
+{delrevetcoen «is sronag 


sf3 26 osiseurieve ads 
~2hiae ,.3i sé: =o? delvy too27 
~avoliee stem 

ag 

rd Ess ,(opeteedy eaienens 


iO? i2 2.= (fs) 20. @ Is@iieen eabmeilt aye 

. . a \ 4 oP ia “aa 
aaa] , taexe}tv\ze0de i. 
neg iat epee ay 


i] 


- *% — » © 4% 
(<2? 1 S9R4 2 i Va reky 


= 


= se » 2 : ’ s~ 
ea) ‘iea-sp ,/ {RSeel(V\seaMigleia) . 


p> 


p _ 


fam. (@! 404 ise Ane Lbditer & genie: i@} 
elit ot ae 


47 


interrupt. The procedure statements call and act serve to 
initiate these different procedures and because of the 
priority select mechanism in the QM-1 their semantics differ 
Significantly from procedure statements in high level 
languages. 
The statement 

cali p 
appears only within an instruction procedure and initiates 
the subroutine p. The call statement terminates only upon 
return from the subroutine p. All variables in S*(QM-1) are 
global so there is no parameter passing but subroutine 
procedures can be declared with or without an 
"allow-interrupts" flag. If specified this flag allows the 
execution of all pending interrupt procedures upon return to 
the calling procedure. Formally, the semantics of this 
Statement are: 


1. allow-interrupts option not specified: 


{P} proc p iQ} (P3) 


fP} scal btpttoe} 


2. allow-interrupt option specified: 


{P} proc p {Q}, v(i)(int(i)=({Q} proc x; {Q})) (P4) 


{P} call p {Q} 


19216: 


assoerisini. bab sivbas0sg aise 


ous (f-Mp)ee2 ni soids 


stiijvozdue stud oniataeq 3908 
as. 2uedsiv.20-dske anh 
ot? avolie pall sind Ssiliesge EF ele 


o2 naute2 nogr setubes07q tqurTngsey obitfed 


=? A 
eids to HOlinemee +43 ui Lees atten 


(¢9) lei cet 


(09) (C00) 1 songh fgndeta rarer 


7 al 
Wares 
7 ; 
7 ate : 
7 


48 


The assertion V¥(i)(int(i)3({Q} proc x, {0})) ensures that 
the execution of all pending interrupt routines will not 
@hrect. Che POSt-conaqition of (proce pe. The assertion Intti) is 
true only if the interrupt procedure assigned to priority 
level "i" is now pending. 

Example 15. 

anit. 5} is true if the interrupt procedure at priority 


level 5 is pending and false otherwise. 


The act statement 
act p 
activates the named procedure p. It is effectively a goto 
the start of the procedure. In describing the semantics of 
this statement the following notation originally introduced 
by Alagic and Arbib [Ala78a] for describing the semantics of 
goto statements is used. The notation 
{Plsprocep 1Qsip::Qids.sdpniQn} 

specifies that Q is true on "normal" exit from procedure p 
Whaler one of 075705, <2. bp Onmuomterue on exit from-procedure 
Deviakeactivatvonaot py;eps Per .Bphgmrespectively (Fig. 6). 

The semantics of the act statement vary depending on 
the type of procedure activated. In the case of instruction 


and subroutine procedures it is: 


{P} act p {false}{p:P} (P5) 


aad, | 
toa: Tht 

abd) ara ee es 
yaizobg Of Ssngtzan oxy 


yitsoliq te sivkss0I9 Jge 


.seivieizo 


=] 
o 
ial 
{ 
La 
f 
r 
wD 
é 
4 
D 
5 
Loy 
= 
corey 
ad 
a! 
al 
g 


becubortri yliantetss eoisaten save 
to apisnsmss sid enediises® ip2 (adstsiel Dida hae 2 6a 

nogiiesca eee bez ak ‘sinomesade 4 0 

| PMPs s soe veh ti Agen 199) 2174 

q swheoow sidcd 7EgS "“Lemsde" ce oes. ei Q.4udy est? 

sivbes670 aiotl tine ne aut? a4 ie ee, Dd «12 70 sna ti 

(a .pé9) ylevisseqess ..q@ «os ae vig nolsaeisea- Es 

no pnibasgesh yisv 37emesare 238. #2: 2e" soi snamee — 


nolisuzza@nd 29 seas edt a3 bs sanisom SHibesoNY 20 


7. AY 
sei 22 Cee ie: 


(eq) farq} seteatog 


49 


ep} 


Proc: 


act); WousO 7s 


Figure 6. {P} Proc {Q}{p1:Q1} and for interrupt procedures 
the act statement will not immediately activate the 


procedure but the interrupt becomes pending. 


UR WBAGT Sp) PRak inti) (P6) 


Again the assertion int(i) indicates that the interrupt 
procedure assigned to level "i" is now pending (i.e. will be 
activated at the end of an instruction or call procedure). 
Notice that the statement act p; does nothing if p; is 


already pending. 


5.4 Proof Rules and Axioms for S*(QM-1) 
In this section the rules of inference and axioms for 
S*(QM-1) are summarized. 


1. Simple Assignment: 


{ (P[SEL/V]) [x/y]} (A1) 


2. Assignment with Expressions: 


{Pp([SEL/V, ][CNTR/V;][MOD/V;][MASK/V,][OUT/E;])[x/E]} (A2) 


_ : 
.4) Grae 
on 
| * | oe i 
pezubesoIg sgritedas. 263 ae 4a)is 
edz scatizon hier aidan is ite aundeia 
-prihnsg aonhowid sansa aif’ sud a 
- y : ” 
i249) itiiant &. FZ] ‘7 gpg de}. 2’ sae Cie 
a =e hos isd 


jqeaasini s#s. 3684 ee ao! tyNeae, dye me 
od Jitw .e.ik poltnag “on al “2 * Yewat o2 Bang tees wis 


a = 


.lewbesote Lied 31 nei savstenb Bee hoe sit ia be F | 
BE «<3 72 pradgen tech 2a dneugtss ou? Jedo eld 4 
ve) Lpmtbrteqe 
a > i eel. @ 

(t-woO}et s0% amoixA One esiu® 3< 
210% amoiue ine ssagtetna! Jo ae iesy) edsuiotsoee-aidy. at 
| sbogivemmue) ets 
y» ginemnpigedé-e 
Cy\nl (haa) 


(SA) ifa\xD(t as 


50 


3. Multiple Assignment: 
{P[EXPR,][EXPR2][x,/E,][x2/E2]} (A3) 
X4,X2 2= By,,Es 


{Py 


A. 1f..f1 Statement: 


P[MASK/V][EXPR], {P&B}S{Q}, P&-=B>=0O (C1) 
{P} if (mask sel B of (E)) >» S fi {9} 


5. While do..od Statement: 


P[MASK/V][EXPR], {P&B}S{P[MASK/V][EXPR]} (C2) 
{P} while mask_sel B of (E) do S od {P&7B} 


6. Repeat..until Statement: 


{P}S{Q[MASK/V][EXPR]}, Q&-B=>P (ea) 
{P} repeat S until mask_sel B of (E) {Q&B} 
7. Call Statement(with and without allow-interrupts option 
specified): 


{P} proc p {Q} (P3) 


ipiecal lo peor 


0 


t snmino1642 bos 06 
Gaa }{ Ame 


-Inametet2 [bieuss 
7 
_ 


‘ ; 
\AZAMIO2iad) eaerer te 
5 : Lf 7 


5 1 


{P} proce p 10} 7e¥ Gi) hinelSeUiowiproc x; 10})) (P4) 


{P} call p {Q} 


8. Act Statement: 


{P} act p {false}{p:P} (P5) 


{Phfact spy Bas. intGD))} (P6) 


9. Parallel Composition of Statements: 


{P;}Sp{i07}, {P2}S2{O2}, interference-free (Pt) 


{P, & Pz} S:8S2 {0, & Q2} 


10. Cocycle..coend Statement: 


£P.}_.S..8Si pC Shan (P2) 


CBee 


11. Axiom for Pseudovariables: 


Q[PVAR/undefined value] > Q CTuley 


The following rules of inference are not discussed in 
this thesis but form part of the axiomatic definition of 
S*(QM-1). A discussion of the semantics of these constructs 
is given in [Wag83a]. 


12. Sequential Composition of Statements: 


jut eminem 
Ld 

* 

s > is 

> iJ w 


= 


Os 


_ 


Ee 
i 


3 
Lt 
wy 
4’ 
So © 
a 
bm 
wae 
» 
z 
> 
= 


aie 


_ 


a7 


ee 
> 


- . 
2 — +. 
> fei 
‘ °c 12 
o ° 2 —~nasemnsmmeyyp-spemmasntinan talent liillliadantiatina: 
7) 


SL GSE3EVOCOUS 


—. nf @eveln 
ii 36 it \AAYV Bit 


D2 


iP}S,{Q} & {Q}S2{R} 


dP Si; SeagRi 


13. Case..endcase Statement: 


{PItSe Or 


{P} case ir[17..14] of 0(OP1):S5...n(OPn):S, endcase {Q & 


Helazee14je= 0} 


14. Goto and Return Statements: 


{P} goto L {false}{L:P} {P} return {falsei{E:P} 


15. Region..endreg Statement: 


{true} 


{true} régioneSs, +SPepa;Sheendregeio} 


16. Do..od Statement: 


UPiis eS eames © 10} 


{P} do $,6520...0S, od {Q} 


Chapter 6 

Proof of S*(QM-1) Microprograms 
In this chapter, two proofs of S*(QM-1) microprograms are 
presented to illustrate how the axioms and rules of 
inference developed in the last chapter are to be applied. 
The two examples chosen are the QM-C multiply (MULT) and 
call ivCAbh) Sinstuuetion’ (OM-Cias the G-oriented architecture 
developed by Olafsson [Ola82a] for emulation on the QM-1. 

These two instructions have been chosen because they 
both contain loops, and perform two very different 
functions. The multiply instruction implements a 
multiplication algorithm while the call instruction must 
correctly save the contents of certain local store 
registers. Instructions with loops are presented because the 
generation of loop invariants usually is the most difficult 
part in the construction of program proofs. However, as 
noted by Patterson [Pat76a], loops are in fact quite rare in 
microprograms. This observation remains true for the 
S*(QM-1) microprogram written for QM-C, where loops appear 
only three times. Thus it is hoped, that these proofs will 
represent the most difficult proofs in the S*(QM-1) code for 
the OM-C. 

In constructing the proof outlines "auxiliary 
variables" are used to simplify the assertions and enhance 
their readablity. Such variables appear in assertions but 
are not contained in the actual code. They are used to 


denote the value of some machine location at a particular 


os: 


- Ls 
( 7 Le 
1 ra ny 
eee | 
a p> 7 ty 
— -_ 
7 3b eee ai ae 
BAS IPotqozS 
a : Pro, a 


5 2NSIHO qarekm (5-00 


> fa . ox _ ime 9 ‘i 
i fen | — a a a Xt 
a rv :) 3  « m_ 
' Lal ? ¢ a | 
im, 1— - | 
i "tf ; J 
fa = 
3 | 
f 
3 
4 = 
‘ 
P 
c 
c é ; 
‘ “\ .-4 
a } 
» 
LAVE y 
, _—— a 6 
a - - is 
4 
‘ gear “aed 
i< . 
7 = 7 4 «= 
Ls 
he ae 2 nr 4 = 
el a Se ae | — o row Sw ye 


(te 
hr 


e 
\w2o® h e 
ae! 


— 


¢ +" 
~ a. 4 


ae 
-_ , i 


a 


a ~ 


54 


point in the execution of the microprogram. Auxiliary 
variables will be denoted by subscripting identifiers by 
CO" etvergtexapiabce; ckcs)iGAlsoeintroducedyare capitalized 
variable names which are used to denote assertions in the 
microprogram. (e.g. F = {fsid=5 & fsod=3}) These names are 
used to denote assertions which remain invariant over 
particular sections of code. Logically, they can be simply 


viewed asS an abbreviation of the actual assertion. 


6.1 The MULT Instruction 
The QM-C multiply instruction has the format 
MULT ot re 
where ri1,r2 specify 18-bit QM-C registers; the effect of 
thisormmstruction is: 
reg{[r1] « reg[r2] * reg[ri1] 
where "reg" denotes the QM-C register file. The main 
component of the microroutine interpreting this instruction 
is a repeat statement. Before entering the repeat, the signs 
of the multiplier and multiplicand have been determined and 
both operands converted to unsigned binary numbers. 
The instruction register (ir) contains in its two low-order 
6-bit. Emelds «ir ibecand iracs ithesparameters*zirl and r2, 
respectively of the instruction. The repeat loop is iterated 
18 times on the unsigned binary numbers contained in 
local_store[ir.b] and local_store[ir.c] 
Each iteration: 


{he computes acpartialdéproduct; opprod, laccordingetosthe 


se 


O85 


expression pprod = pprod + mult[0] * mpcd 


2. performs a double-shift-right by one position on the 
concatenation of sh_end (i.e. the carry of the ALU 
Operation), pprodrand=“nure—(Pror7 } 

The entire S*(QM-1) declaration is not given, but is 

contained in the appendix. However, the following synonym 

declarations show the mapping of relevant QM-C "logical" 
registers onto the actual QM-1 data objects. 

syn fscrl : f-store[31] /*scratch register*/ 

syn mult : local_store[fsod] /emultiplier*/ 

syn pprod : local_store[faod] /*partial product*/ 

syn mpcd ‘cecil fava /*multiplicand*/ 

The S*(QM-1) routine for performing the multiplication is as 

follows: 

repeat 

Kalcis=79: /*integer value for ALU "add" operation*/ 


if (LOCAL SLB of (mult)) > kale = 31 fa; 
/*¥integer value for ALU 'pass left' operator*/ 
cocycle 
sh_end := CARRY of (pprod (kalc) mpcd) mult d>>1(1); 
pprod,sh_end := (pprod (kalc) mpcd) mult d>>1(1),0; 
mutt += (pprod’(kalc) mped) mult @>>1(1) 
coend; 


PScrimeeee scr | oe 


until (SPECIAL F_REG ZERO of (fscri)); /*test for fser1=0*/ 


The 


pre- and post- conditions for the loop are as follows: 


“i 
Ww 
7) 
© 
nm 


— 
. % 4 


“28 


[ 


nos: 


4id 
ae 


nad 


2 
_ 
> 


or 
. 


_ 


— 


56 


31, mped 10 


Figure 7. i-th Iteration of Repeat Loop 


PRE-CONDITIONS: 
1. anSwo=mult*mpcd 
2. F = {isid=fsod=ir.b & faodsfail=29 & fair=ir.c} 
Cee Boe Pb Sor tl) 
4, fscerl=18 & pprod=0 
POSTS=CONDITIONS 
le 
2. anSWo= pprod ® mult, where "e" denotes concatenation 
Proof Outline 
Consider the assertion 
INV =i eanswo=ppLrods2  +mult(172.16-1)-mult( 17-1 ..0)]*mpcds2” & 
Ee 
On entry into the loop body for the first time, this 
assertion clearly holds since, initially, by 
PRE-CONDITION(3,4): 
fie 10 
hence {answ, = pprod + mult[17..0] * mpcd & F} 
and, by PRE-CONDITION(4) pprod=0, 


* {answo = mult * mpcd & F} 


}7) 


which is true by PRE-CONDITION(1,2). 
Now, assume that INV holds at the start of the i-th 
iteration of the loop body. Then for this iteration the 


following proof outline holds: 
{ answo=pprod*2'+mult[17..18-iJ]+mult[17-i..0])*mpcd#2' & F } 


kalc := 9; 


if (LOCAL SLB of (mult)) > kale := 31 £i; 


MhanswoepprodFr2ktmulte(470448-2) +mule(47-tee Od empcd*2 ' 


&i{kahe=9°& mult[O0J=1) V (kalc=31 & mult[0]=0) & F} 


cocycle 
sh_end := CARRY of (pprod (kalc) mpcd) mult d>>1(1); 


pprod,sh_end := (pprod (kalc) mpcd) mult d>>1(1),0; 


Ph ansvoeppseds2d *POtT(pprodtmuilt [0 )*mpcd)[0..0)]+*2' 


+mult[17..18-i]+mult[17-i..1JeO*xmpcd*2' & sh_end=0 & F} 


mult := (pprod (kalc) mpcd) mult d>>1(1) 


coend 


jranswy=pprods 20m’ Ctrmult(d7e.d8a (aod 
+mudtlidot ttdbesddampcds 2hhcwk Fa} 


tscriw:eqtiscrini sn 1c 


~ pd 


e 


.C0+E) <b ehane 


58 


{ answo=pprod#2'+mult[17..18-iJ+mult[17-i..O0Jampcd#2!' & F } 
In other words, INV is an invariant relation for the loop 
(i.e. {INV} loop body {INV}). 
and 
{INV & 7 SPECIAL F-REG-ZERO of (fscr1) > INV} 
by the proof rule for the repeat statement it can be 
concluded that 
{INV} 
repeat ... until (SPECIAL F_REG ZERO of (fscr1)) 
{INV & fsrc1=0} 
which implies, as the post-condition of the repeat 
Statemenes 
{ answo=pprod*2'+mult[17..18-iJ]+mult[17-i..0]*mpcd#2' & F} 
SNS (Geseisoni=0} 
By substituting 18 for 1 in the above and simplifying one 
obtains the assertion: 
{answo = pprod e mult & F} 


which is the desired POST-CONDITION. 


6.2 The CALL Instruction 

The objective of the QM-C CALL instruction is to save 
the contents of the the QM-C registers and to allocate space 
on the stack before transferring control to the called 
procedure. The QM-C registers are mapped onto the 32 local 
store registers, their correspondence is shown in Fig. 8. 
The following synonym declarations are in effect and relate 


the QM-C registers shown in Fig. 8 to their corresponding 


an] 


fea 2A OMG adi poravis 
ay we 


rieiost 2-4 ade any a 


“ 


<a anes 


3 — P 
33 2 a ore 73 
> 
! * al J at :t32 
és 
- ~ ~~ =z ~v 7 
" < =. Oroges i Ieq + 


: me i 
i3s not 436 20teURs A aie: 
a 
F -? : - oa 
= > & - > taxd * we yy yy \ ey ee 4 
isnt of @ Age 9 ab avede am 


QM—1 Local Store Registers 


0 
11 
temporary. 2 
registers : 
15 
reg0 16 
: variable registers ; 
reg7 23 
Some 
registers 30 
[iaseroeion vesiower | 3 
Figure 8. QM-C Register File 
local store location. 
syn pe = local store[24] /*program counter*/ 
syn fp = local_store[25] /*frame pointer*/ 
syn eb = local store[26] /*external basex/ 
syn ax = local_store[27] /*auxiliary pointer*/ 


syn sp = local store[28] /*stack pointer*/ 


7 4 ; 7 ; 
is - 2 ft 
r lines, 


‘a - 3 lan 7 
oS pahtesel 
eg : = / 


60 


The stack in QM-C is implemented in control store, its state 
prior to execution of the CALL instruction is given in 
Fig.a0. 

Saving the contents of the pc, fp and variable 
registers in the QM-C register file is performed using a 
repeat loop in S*(QM-1). Before execution of this loop the 
following is assumed to hold. 

1. The instruction register, ir, now contains the value of 
the "mask-word". (see Fig. 9) The mask-word is the first 
word of the called procedure and indicates both the 
lowest number variable register used by the procedure 
and the space required for storing local variables. 

2. The program counter has been incremented for return to 
the calling procedure. 

3. The F-store register "fscri" now contains the value of 
the lowest local store register which will be saved. 
This value is equal to 16+low_reg (as contained in the 
mask-word). 

Given these conditions each iteration of the repeat loop, 

starting with "fp" (local_store[25]) down to the lowest 

variable register specified by "fsrci", saves the contents 
of the local store register onto the stack in control store. 


The S*(QM-1) code performing this operation is: 


repeat 


fcoid := fcid - 1; /*points to register to be saved */ 


control store[cs_addr_source.reg_addr[fcia],cod_bus 


ey <2 
eisie att .sxede Lez: oo at 


: oy ee ote . 
(%S tavig ei ant you fzai q 


_ 


; - ts ‘ 


= res —P awn F 
i 2 oe ee 
a , 


Z 7 ~~ _ =. = 
Q | 0? Seriipsa svege sd; 


- - ~ 
« 
_ -- ~ 
a ' 
_ 
=. 
a 2 
¥ ° 
~ F ~~ — 
- tha ~ «= - =? 


High Address 


QOM—1 Control Store 


value of old fp 


- 
: variable registers 
low_reg 

Ep 

space allocated for local 

frame variables of called proc. 

size 

Sp 


Mask-word 


low_reg frame size 


Figure 9. QM-C Stack Frame and Mask-Word 


:= control store datal[fcid]; 


61 


/* saves register on stack in control store #/ 


kx.local store[28] := xdecl kx.local_store[28]; 


/ 


/* decrements stack pointer */ 


ESer2* f=eferdr]tsret: /* set-up for test */ 


until (special F_NOT_ZERO of (fsrc2)) 


Formally, before execution of the CALL instruction the 
following auxiliary variables are defined. 


i Ws PC o=pc 


SSA 


> 


7 ws = a 


HeW-2ESM Gis) nani sions OO Ae 
’ a 


Deaal 7 ae a 
i S se +¢o * 


{(histlesab_o1pie,toisde2 22 ae ayaa) “eet 
\* etod@ Lorine ei dtede ne rose bee Gewese OO ay- et 
, (OS soz0se, Iaodi.vad I osbeeee {&Sjex0re_Las0f za 


\* %t9308eG dosse sirerie226ed F | ‘ie Aan 


\* tea? 993 -gr-tse «\. VPome2 - Gini =: Sy - 
((So1e?) 29 GER POKS fei2egs) 

hee wale +44 

eft notsowyseni IaA9 sf3 to ootsnoene B10%scd e 


-beniteh ore weldaixey hiemmryn 
eee +5 4: he} 2 


os 


a) 


co. 
-* 


62 


2. SPo=Sp 

3. W(k)(16Sk<23) rego[k-16]=local_store[k] 

4. low_rego=control_store[ir.abteb][17..12] & OSlow_regos7 

Now, the pre- and post-conditions of the repeat loop are: 

PRE-CONDITIONS:;: 

1. F={ v(k)(16Sks23) local _store[k]=rego[k-16] & ir=mask 
pe=pco+1 & fclia=28 & fscri=low_rego+16 & 17Sfscr1<24} 

2. Wtisp=spas&<fcid=263 

POS T-CONDEELONS: 

bese, 

2. control store[spo-1]=pcot+1 & control _store[spo]=fpo 

3. W(k)(low_reg<k<8) control_store[spo-9+k]=rego[k] 


4.) sp=spotlow2reg- 10 


Proof Outline 
Consider the assertion, P: 

{¥(k) (fcidsk<26) control _store[spo-k+25]=local_store[k] 

& fcid>fscr1 & sp=spo+fcid-26 & F} 
On entry into the loop body for the the first time P is 
clearly true by PRECONDITIONS(1,2). Now, assume that P holds 
at the start of some iteration of the loop body. Then for 
this iteration the following proof outline holds. 

{ ¥(k) (£cidsk<26) control _storel[spo-k+25]=local_store[k] 


Sp=spettcid-26 & fcid-tsrcl £ FF} 


fcid.:=,fcid)-1 


DD a 


i 


7 - 


_ ti 230 svete 
titan 


A 

a>: 

ve ree 
- 

1 sols eae Si<aist a ire 


? 


ou o iinet a - 


2 aor La ei 


ee 
~e 


fl ( 7 - 


6 rit [eo 


ry 


i <= 
hMeoageli=; elevede jon ne 


~ 

eniljuQ-3o ; 

| 7 — 
oe ‘2 1ef26 oid bt 
+s ~ yaa laxode lengns> (a> #2bio 4 
(9 3 aS-Kisieygesga a l199?<big 
_ res" TIA SAS va ai 
2 CH o VS, ' PCRs he CCl ahs ‘oe oss | 7 


io aolasyet) ence he, nese ’ 


eniig¢uo ix iG eniwelio§ en3 aokzex941 


4 7 
X sd 


63 


{ ¥(k)(f£cid<k<26) control _store[spo-k+25]=local_store[k] 


Sp=spotfcid-25 & fcid2fsrcl & F} 


control _store[cs_addr_source.reg_addr[fcia],cod_bus 


:= control store data[fcid]; 


{ ¥(k)(fcidsk<26) control _store[spo-k+25]=local_ store[k] 


Sp=spotfcid-25 & fcid2fsrc1 & F} 


kx.local_store[28] := xdecl kx.local_store[28]; 


{ ¥(k)(fcidsk<26) control _store[spo-k+25]J=local_ store[k] 


Sp=Spoticid-26 & fcidetsre!l & F} 


ESrCZea=eeciG —.fsrcl* 


{ V(k)(fcidsk<26) control store[spo-k+25]=local_store[k] 


Sp=Sp, sicida2o& fscr2=tcid-fsrel uP} 


Now if Q is the assertion given above: 
{ ¥(k) (£cidsk<26) control store[spo-k+25]=local_store[k] 
&R Sp=sp,ticid-26 & fser2=fcid-fsrel & F} 
then 
OQ & fsrc240 > P 
Therefore P is the invariant relation for the loop and by 


the proof rule for the repeat statement it can be concluded 


64 


that: 
{P} 
repeat ... until (SPECIAL F_REG ZERO of (fscr2)) 
{Q &¢fsre1s0) 
implying as the post-condition of the loop that: 
fcid=fsrci=low_regot+16 

and 
by substituting low_rego+16 for fcid and simplifying one 
obtains the desired post-condition: 
{control_store[sSpo]=pco+1 & control store[spo-1]=fpo 

& W(k)(low_regsk<8) control store[spo-9+k]=rego[k] 


& Sp=SPpotlow_reg-10 & F} 


~~ © =n 
AS 


ae, al 
“ ‘ 
5. EMS 
/ < 7 
beg Fo 


Chapter 7 
Conclusions 

This thesis demonstrates very clearly the issues that arise 

in microcode verification. It has been shown that although 

the language constructs are quite similar to those in high 
level languages their semantics may differ significantly. In 
constructing a deductive system for S$*(QM-1) these 
differences became apparent in describing: residual control, 
the different kinds of side-effects, transient locations, 
and the sequencing mechanisms in the QM-1. Yet, in spite of 
these differences and with a minimum number of changes to 

S*(QM-1) it was shown that the axiomatic approach to the 

verification of S*(QM-1) code was possible. Given that these 

Same issues are characteristic of micro-architectures in 

general, it is hoped that the form of the axioms and proof 

rules as well as the relevant extensions to S*(QM-1) 
necessitated by them, will have wider applications for other 
host machines and microprogramming languages. 

Basically, the following changes to S*(QM-1) were found 
necessary in order to ensSure microprogram verifiability: 

1. Side-effects were "classified" and embedded either in 
the proof rules or in the language itself. Embedding 
Side-effects in the language required the construction 
of the multiple assignment statement and the novel 
union-with-selector data type. 

2. Testable conditions in the QM-1 were bound to the 


specific expressions which caused the conditions to 


65 


66 


arise. Indeed, unlike the usual assumption made for 
expressions in programming languages, expressions in 
S*(QM-1) can yield side-effects. 
3. Transient locations were coupled to the statement(s) 
using their value. 
4, The parallel construct, %, was introduced for the 
parallel composition of statements. 
A surprising, but pleasant, result of the axiomatization of 
S*(QM-1) is that, it was possible to produce a reasonably 
small and uniform set of axioms and proof rules according to 
the criteria set forth in chapter 3. Even with the 
complexity of the QM-1 nano-architecture and the variety of 
side-effects and conditions that may arise, it was still 
possible to define proof rules with few qualifications. For 
instance, the proof rule for assignment is valid for al] 
assignments in the language encompassing the many different 
Side-effects which can occur. 

However, it should be noted that the axiomatization of 
S*(QM-1) could have been simplified if some of the features 
of the QM-1 were not present. Although in some cases there 
is a trade-off between verification and the design of the 
QM-1 as an efficient host machine there are changes to the 
architecture which, if done, could simplify verification 
without compromising its design. These changes are: 

1. the removal of those side-effects whose semantics were 
embedded into the multiple assignment statement. (cf. 


Se2r3:) 


> Sy oe fea faeed 


ores | 163 okay - 203 7 
~ ‘ 


sa: obi od 
© 
Z oe - » 
4: 2 lo .\10eaee 2/6 
‘A. 
4 izeel¢ eon 
or 
4 = 
4 : tye trees = 
é a 


PPine’ x! Lios | gee ME ainia jst? 
; are 


as 7 é © 4 ea a a) 
,a4h 2% i | - } iO resp eds a a 


is- ies Fe 
= 


67 


2. the removal of locations which are declared as 
pseudovariables. For example, the left and right inputs 
to the alu should be gated into the alu rather than 
continually propagated through it. 

3. the polling of interrupt requests. In the description of 
the call and act statements it was necessary to restrict 
the actions of interrupt procedures because of the 
uncertainty of knowing exactly when the interrupt would 


be activated. 


7.1 Evaluation of S* 

Since the constructs in S* are based on the structured 
constructs in PASCAL, the formation of an axiomatic 
definition for S*(QM-1) was aided by the semantics presented 
by Hoare and Wirth for PASCAL [Hoa73a]. The appearance of 
these constructs in S* allows the application of existing 
knowledge on the semantics of these constructs to forma 
basis for analyzing them with respect to languages 
instantiated from S#, 

A second feature of the language which proved useful in 
describing the semantics of S*(QM-1) was the notion of 
types. The concept of type in S* is not nearly as powerful 
as that in high level languages, since in the 
microprogramming domain compilablility must also be 
considered. Yet, as demonstrated by its use in both the 
union-with-selector and array-with-pointer, types can play 


an important role in providing a lower level description of 


7 Ff 
fa 
o te Sak 
a yours we é 7-2 
- i va » ; 
es . ‘ 
: 
ey, 
ry . Ia7TO | 
i 
Ms e «/ , t i T\ ed oat 
4 ! j 5 2eav 44} 
x &S :~ 
: a Pre om : "4 A 5 ,? jd 
>: te1707 esi 3 OlcnateSS 
al 4 ‘ - e 
bd _ * 
isiayv 4 Si ss > oTy 
“" < 26 ¢ ry | 2 2% f 7, 
Cm ; - > . ‘ + 
‘ 7 = : ° so & 
4° } = £g ae ypnsJ f ey 
rer e f 
; f ve “iiltideligquos nieaeme 
‘ Pi : 2 _ 
i oe ii 4d besarzenomeh as .2 
. 
ens 7% 
- - ——— oo | = ~~ 
2aqgys., 778i jiw-Ya2Ie. Soe. x 
- f — » f 
gizteweb fevel tevol « eae ee 


68 


the underlying architecture. The introduction of these types 
in S*(QM-1) enabled the control function of many of the 
residual control registers to be incorporated into the 
semantics of the language. 

It must however be noted that it was not possible to 
define S*(QM-1) completely within the framework of S#. 
Recall that one of the aims of S* was the construction of 
microcode without reference to control store organization. 
Yet it was precisely this control information which had to 
be incorporated into S*(QM-1). This indicates, at least in 
the case of very horizontal architectures, it may not be 
possible to abstract entirely the control structure of the 
micro-architecture and that in these cases a much lower 
level of description is required. 

As a final point, an indirect consequence of this work 
is that the very act of formalizing the semantics of the 
language raised immeasurably, one's understanding of the 
really important properties of the QM-1. In a sense, 
S*(QM-1) and its semantics is a precise and (hopefully) 
unambiguous model of the QM-1 nano-architecture which 
abstracts the variety of behavioral characteristics of the 
machine into a small set of concepts. The exercise of 
deriving an axiomatic definition of S*(QM-1) was worthwhile 


from this viewpoint alone. 


69 


7.2 Further Work 

A problem of some concern which becomes evident from 
the proofs presented in chapter 6 is the very low level of 
description and verification that may have to be carried out 
in the case of horizontal programs to ensure that the 
programmer is able to utilize machine resources both 
efficiently and correctly. Indeed, there is a substantial 
gap between the larger goal of a microcode routine (e.g. the 
multiplication of the contents of two register operands) and 
the final form of the S*(QM-1) program. It is true that the 
language does permit, to a certain extent, descriptions at 
different levels of abstraction. An ALU or shift operation 
can be specified either by a keyword (+,-,and,etc.) or by 
actually specifying the value of the kalc or kshc fields, 
local store operands of the ALU may be specified directly 
(fatnirtalul si; Gianyar alupes prortindivecthy andtatSa lower 
abstractionmlevelie(italulfabldpervalulfairs)ecBut;esince 
every construct in S*(QM-1) is bound to the QM-1 hardware so 
the range of the abstraction level is not nearly broad 
enough. 

Dasgupta [Das82b] has suggested that one way of 
reducing the gap between the broad, abstract, function and 
the concrete, detailed, form is to use a family of closely 
related (or "kin") languages each designed for, and oriented 
towards, a specific abstraction level or mode of 
description. For example a machine independent, operational, 


architecture description language called S*A [Das82a] 


of . 3 ter 


6 


a8 sob 


— 
i) 


70 


together with S* form the first members of an open-ended 
language family. Also discussed by Dasgupta [Das82b] is how 
S*A and S*(QM-1) can be used in the systematic design of a 
target architecture (in S*A) and its QM-1 based emulator, 
QOM-C (in S*(QM-1)). The language S*A was also axiomatized so 
that it could be formally verified [Das83a]. 

Experience with the work reported here reinforces the 
idea that such families of languages are psychological ly 
necessary if control is to be maintained over the firmware 
design process. Additionally, it increases confidence in the 
correctness of the design while giving a consistent and 
unified means of documenting the distinct stages of the 
design. An important question that remains to be answered 
is: "given an architecture design and it's description ina 
"higher" level language such as S*A, how is this to be 
transformed into lower levels of description, such as 
S*(QM-1), and demonstrably preserve its correctness?" 

A second issue requiring closer examination is the 
exact form of the assertion language used in the proofs of 
correctness. Again, because of the low-level nature of 
microprograms, problems are encountered in constructing and 
manipulating the assertions in the proofs. For example, 
variables appearing in assertions must be interpreted not 
only as bit sequences but also as the integer values they 
represent. The scarcity of theorems on finite bit arithmetic 
makes simplifying mixed expressions containing arithmetic 


and logical operators quite difficult. This problem became 


a 
3 oe 
behre-nsget 


vod 2] 
7 Z : 
te a . > 
» 28 Net eee aaa ae. 
i v1 7 
c es S426n f-éMO #42 
é 3 2 a 
Tf 
‘ 
nin 
re | 


al tx teat). aaqugeed - 


ee, 
oy 


et) 
ea re co 40300 


is } 


‘Tw. ngseeh eas Yo ae¢ it 


cota Wer 


igne m2 oh pe an & mn 


$230 up Anas a 
s9i7 Abels Helo e ta, = 


rt ve Soe 


TA 


evident in constructing the proof for the multiplication 

instruction ian chapter 6. The algorithm used both shifting 

and concatenation operators which had to be interpreted with 
respect to the more usual 2'S complement representation of 
the bit Sequences. More specifically what is required is: 

1. A canonical form for representing the value of 
expressions in assertions. This is certainly needed in 
view of the several different representations available 
(i.e. 2'complement, 1'complement, sign and magnitude 
elCuy. 

2. A body of knowledge to help in the simplification of 
mixed expressions and also transformations between the 
different representations. 

A solution to this problem is crucial, if as claimed, a 

constructive proof technique is to remain an intellectually 

manageable process. Clearly a complex and unnatural 
assertion language detracts from the general usefulness of 
microprogram verification by increasing the likelihood of 


erron,in thesactual sproos. 


ie 


a ae ' 
i 


‘patstine 


fighw vince aa 
te: nol tara SeNTges sromsignes 
vat, bextupan ai gntiw yl: ye: toy 


6. sulee os entat 


cog wt 5" 
7 Pe oak : a 
@ - » 


ae io conan 
iat Mow : ic 
ni bebesn -¢iniataes 2% sinh ‘ 


sideliave engiseirersi¢s% oe 


stutihgem be ante , cod ahoRMn 


* 0 


: 4 = ; 
Nae 
bay nos vans Pit aie SiS. 11'S slen ok atid to (oo: ; 
09 AeBawieag BAP it senz0: ines? \¢ etn bra enakeawrgae: bexiat 
| . soz _eoommner touna 28 
, . oa 
e ,bemigls ce i .Sciousc 22 abe eee oe eee 
6 
vileasoetiesn«® 46 “Tere 4 US cero roe. s Wid: 


; 


loweedtt bre xefo7 2 Cheese aie 
i a) ; 
. ‘oh Bea 


io stehiotekyw Isitendp, 513 Gon) stage a 


? 


basa ieAL’ ef? Ghiecexga: ge ro kite! 2 RRIQC 1 w7s 


ineag Leusnaatit tek 


References 


[Ala78a.] Alagic S. and Arbib M.A., The Design of Well- 
Structured Programs, Springer-Verlag, N.Y., Heideberg, 
Ber lan (1976). 


[Bar79a. ] Barbacei’ IM@R:, “Instruction Set Processor 
Specifications (ISPS): The Notation and its Applica- 
Hionse —rechnmeaius Reporte. “(CMU-CS=/9-123))", Carnegie- 


Mellon University (1979). 


[Bab8ia.] Baba T. and Hagiwara H., "The MPG System: A 
Machine Independent Efficient Microprogram Generator," 
DEEEA Pans 1 COMDUD wy Out CT S07) SDP. 37 3739ouune 


[Bel7ia.] Bell C.G. and Newell A., Computer Structures: 
Readings and Examples, McGraw Hill (1971). 


[Ber80a. ] Berg H.K., Correctness of Firmware -An Over- 
view, Springer-Verlag, New York (1980). 


[Bli76a.] Blikle A. and Budkowski S., "Certification of 
Microprograms by an Algebraic Method," Proc. 9th Annual 
Microprogramming Workshop MICRO 9, N.Y., pp. 9-14, 
ACM/IEEE (1976). 


iCarvoa.a Carter W.C., Joyner W.H., and _ Brand Da 
"Microprogram Verification Considered Necessary," Proc. 
Natdn COmpUG. « COnfs,, sAGLIngton, VA, pp. 657-664) AEEPS 
Press (1978). 


[cro80a. ] Crocker S.D., Marcus L., and D., Van-Mierop, 
"The ISI Microcode Verification System," in Firmware, 
Microprogramming and Restructurable Hardware, ed. G. 
Chroust and J. Mulbacker, North-Holland, Amsterdam 


Ti 


iWdabis! 


,basil 


i] v : alee 
ee eat u* 4M digs " 
wor A »gelssV-29p08 22 
ae 
Ay, 
eer: ie 
i} rf J y a! iy 
Est * io) 3 
, a4 a bas 7 sdatl 
| +f Srebreyebr vs 
| . G3 OD ene 
- bare - 
Pusat qa 
r ‘ : . - : ; 
» bre’ .2.9 let? 1° tie 
rte 120M ,eatomexd tras agit a 
rr, 
i. hw 
‘ poate Aula 
r "14 a Te - P nH. pre matt 
| ar. [sv * we 
, pels aoRet age lt 
ion 7 > 
5 ; span Ae 
hoy reap at: 
Yt Wel ilavoxbuad Bas A elatle a ear 
. » br sb > is’ iep lA re 16 xd 3 ss1p0Ig0 3th 
A LHL or 2a y* 2 Sir) eis 2 >. e nih 
—_ eli avery 2 ae 
1 
ii * ee 
: | a 
its - 
1‘ Bos ..H.W wzenyot ..3.8 -as378) 
lISBe Se “i | 04‘) fe r62 fn Of; . ispilirzeVv “mBIRC 
Be-S2a .aa ,notpni laa: ,. NG ~1 
_ : ’ 
7 
, GC Bas va Efe a 
ni. "\mese ce. citjisolikzev ey ebo2 
, a ewhtel siden ns Toa a & 


oH-2t0K , 79d0ediul 
ris y 


wes rapes sy 


13 


(1980). 
[Das78a.] Dasgupta S., “Towards a Microprogramming 
Language Schema," Proc. 11th Annual Microprogramming 


Workshop MICRO 171, N.Y., pp. 144-153, ACM/IEEE (1978). 


[Das80a.] Dasgupta S., "Some Aspects of High-Level 
Microprogramming," ACM Computing Surveys, Vol. 12(3), 
pp. 295-324, ACM (1980). 


[Das82a. ] Dasgupta S., "Computer Design and Description 
Languages," in Advances in Computers, ed. M.C. Yovits, 
Academic Press, N.Y. (1982). 


[Das83a.] Dasgupta S., "On the Verification of Computer 
Architectures Using an Architecture Description 
Language, , Proc. Oth “Anhual wins. | Synod. (on Comput. 
Aaa ie IEEE Comput. Soc. Press ((forthcoming) 
HWES3). 


[Das82b. ] Dasgupta S. and Olafsson M., "Towards a Family 
of Languages for the Design and Implementation of 
Machine Architectures," Proc. 9th Annual Symp. on Com- 
put: Architecture, pp. 158-170, IEEE Comput. Soc. Press 


(1982); 
[Dav80a. ] Davidson S§S. and Shriver B.D. "Firmware 
Engineering: An ExtenSive Update, oepp. 8 i=s0e rn 


Firmware, Microprogramming and Restructurable Hardware, 
ed. G. Chroust and J. Mulbacker, North-Holland, Amster- 
dam (1980). 


[Dav80b. ] Davidson S. and Shriver B.D., "MARBLE: A _ High 
Level Machine Independent Language for Microprogram- 
ming," pp. 253-263 in Firmware, Microprogramming and 
Restructurable Hardware, ed. G. Chroust and J. Mul- 
backer, North-Holland, Amsterdam (1980). 


} it: ue | ; 
primméezrpo rgetoie  & . eben 
On lames" QOnNGbtoih taunnk aot?  y 


phew : : “oe 
AOLeSt) SS T\2SA: , E271 7 oS 


| 
dy 
es 
' 5 4 7" } 
$ > a ‘ 3 4 
¢ < 
eonudoadae 
_ i Os ale OH 
= 2 mi 6 \S oY 
> A 
a | 
» i 
‘< ry ° 
S 2a 
1s 
2 —o 
> 


74 


[Dav81a.] DavirdsonkSe, ._Landskev onDt ie ShriverorB.Daaguand 
Mallett P.W., "Some Experiments in Local Microcode Com- 
pPactionsfor Horizontal Machines,” IEEE ~ Trans Comput., 
Mol C23 Or 964). . 


[Bak80a.] de Bakker J., Mathematical Theory of Program 
Correctness, Prentice-Hall, Englewood Cliffs, N.J. 
(1980). 


[Dem78a. ] Dembinski P. and Budkowski S., "An Introduction 
to the Verification Oriented Microprogramming Language 
MIDDLE," Proc. 9th Annual Microprogramming Workshop 
MICRO T12 N. Ye app. 9139-143") ACM/ TEER (1978). 


[DeM79a.]. DEMi PLOBR sAcpeb I DtOneeR? des anadmrpeer lis VoA.J¢; 
"Social Processes and Proofs of Theorems and Programs,” 
Conn Or LHeVACM, VolaiZ25)0 1979) . 


[Dij76a.] Dijkstra E.W., A Discipline of Programming, 
Prentice-Hall, Englewood Cliffs, N.J. (1976). 


[Fis81la.] Fisher J.A., "Trace Scheduling: A Technique for 
Global Microcode Compaction,” IEEE Trans Comput., Vol. 
C-30(7), pp. 478-490 (1981). 


[Fly7ta.] Flynn M.J. and Rosin R.F., "Microprogramming: 
Atesintroduction “and = viewpoint,” . IEEE trans Conput., 
Vols C-206)) pippu.727-43 1 CToeh)< 


[Flo67a.] Floyd R.W., "Assigning Meanings to Programs," 
Mathematical Aspects of Computer Science, Vol. xix, 
Dowebo7s2 Amen; Math... SOce 967 )*, 


[Gri8ta.] Gries D.G., The Science of Programming, 
Springer-Verlag, New York (1981). 


od pe wd 
s ~ >. * 

‘ o & 
” 


7 - 


é - 
hit aki ime 


4 € r 
’ ~ 
‘ i. 
> o 
. } = 
cs 
Pa fe 
* = 4 
- _= 


7 es 
“- a 


- 


fs 


[Hoa69a. ] Hoare C.A.R., "An Axiomatic Basis for Computer 
Byoguanmmngpa, Conn toerane ACM; Vol. 12(10)7 pp. “576- 
563 (1969). 

[Hoa72a.] Hoare C.A.R., "Notes on Data Structuring," in 


Structured Programming, ed. O.J. Dahl, E.W. Dijkstra, 
C.A.R. Hoare, Academic Press, London and New York 
O72 )e 


[Hoa73a.]} Hoare C.A.R. and Wirth N., "An Axiomatic Defin- 
ition of the Programming Language Pascal," Acta Infor- 
MablGarp Vo lomeee POe 635=555mUl 975)" 


[IEE8ia.] IEEE, "Special Issue on Microprogramming: 
ToOOlGs anaes Techniques,” § TEER S@irnanse Comput., “Vols C= 
30(7) (1981). 


[Kla81a.] Klassen A. and Dasgupta S., "S*(QM-1): An 


Instantiation of the High Level Microprogramming 
Language Schema S* for the Nanodata QM-1," Proc: 14th 


Annual Microprogramming Workshop, MICRO 14, pp. 124- 
130, IEEE Comput. Soc. Press (1981). 


[KonZ5a. | Kornerup P. and Shriver B.D., "An Overview of 
the MATHILDA System," SIGMICRO Newletter (ACM), Vol. 
5(4), pp. 25-53 (1975). 


[Kra80a. ] Kraley, M. et al, "Design of a User Micropro- 
grammable Building Block," Proc 13th Annual Workshop on 
Microprogramming, pp. 106-114, IEEE Comput. Soc. Press 


(19808 
[Lan80a. ] HandskoveD.foDayidson? Si swwShrivéerBeBiDy)/s)and 
Mallett P.W., "Local Microcode Compaction Techniques," 


ACM Computing Surveys, Vol. 12(2), pp. 261-294 (1980). 


[Lee74a,. ] Leeman G.B., Carter W.C., and Birman A., "Some 
Techniques for Microprogram Validation," Information 


>, 
yoo? 10't BE 
C4 a , {OF ist - 


ie 
uel 


a 
<A 
> 
7 * 3 
Lh > J- 
, a , 
‘« & 
be r? 
’ 
“ ; 
+ 
4 
- + 
j . 
os var 
&G 
@ . y 
a T 
on 
rar 3 1 
— rs 


6360 | 


: 4 { _ 7s 
ice ee. . oF 
*, ; a -~ 


76 


Processing 74 (Proc. IFIP Congress), North-Holland, 
Amsterdam, pp. 76-80 (1974). 


[Leh75a.] Lehman M.M., "“Microprogramming Trend Considered 
Dangerous," Comm. of the ACM, Vol. 18(6) (1975). 


[Mil7ia.] Milner R., "An Algebraic Definition of Simula- 
tion | between "Programs," Proc, 2nd Int’t Joint conr. 
Artificial Intelligence (1971). 


[MIT79a. ] MIT, Research Directions in Software Technol- 
ogy, MIT Press, Cambridge, MA. (1979). 


[Nan79a.] Nanodata Corporation, QM-1 Hardware Users 
Manual. Third Edition, Revision 1, Nanodata Corpora- 
Prone puLrtalo, N.¥ = (v92Z9)4 


[Oak79a.] Oakley J., "Symbolic Execution of Formal 
Machine Descriptions," Ph.d Thesis, Dept. of Computer 
Science, Carnegie-Mellon University (1979). 


[0Ola82a.] Olafsson M., “The OM-C: A C-oriented Instruc- 
tion Set Architecture," Technical Report TR81i-11, Dept 
of Computing Science, University of Alberta (1982). 


[Owi76a.] OwlGkiuS. andschlecsisbD. WAN -AxLomatic ~Proot 
Technique for Parallel Programs," Acta Informatica, 
Vol. 6, pp. 319-340 (1976). 


[Pat76a.] Patterson D.A., STRUM: Structured Microprogram 
Development System for Correct Firmware, IEEE (1976). 


[Pat77a.] Patterson D.A., "Verification of Micropro- 
grams," Ph.D Thesis, Dept. of Computer Science, UCLA, 
Los Angeles CA. (1977). 


re sald Aah C5262 095 | ae 
oo Aa aa reat 


: 


77 


[Rid81a.] Rideout D.J., "Considerations for Local Compac- 
Ppons .OL, wNanocode- “for the iNanodata OM-1," JEEL,. Proc: 
74th Annual Work on Microprogramming MICRO 14, 
Do 205-247 se LEREy Compute Soes eress (1981). 


[Sto77a.] Stoy J.E., Denotational Semantics: The Scott- 
Strachey Approach to Programming Language Theory, MIT 
Press, Cambridge, MA. (1977). 


[Stry say.) Stritter S. and Tredennick N., "Microprogrammed 
Implementation of a Single Chip Microprocessor," Proc. 
171th Annual Workshop on Microprogramming MICRO 117, 
Poe C- 16, AGM LEEE (1978). 


ProkSila.] TOkOuLO Mo, TamUrbauka,wancelamiziika T.,- Optimic 
Zatsone.Ot Microprograms, “IEEE rans. “Compout;:, Vol. C= 


[Wag83a. ] Wagner A. and Dasgupta S., "Formal Semantics of 
S*(QM-1)," Techical Report (expected), University of 
Alberta (1983). 


~ 


/333) “(TNO s3abonew 
Oth eA ‘4 AON 
heer? vee ae 


, 
P 
j 


ar 
- : 
fesod a 


nossa 1e8e. 


ae ox 
in 

rate 5! 
—_— 


me. ey pill ei 


Appendix 


Declaration Section for S*(QM-1) 


78 


tT 


snq 


snq }no sw 


$}1q 9 


+1q 


‘snq ino 3443usS ‘snq }no nLe 


S}1q 9 


+1q 


+1q 


+1q 


O° 


0° 


aie, i Or 7a 


dnjpua 
LS 
oO, ey 
aidn3z : do nie uead 
s}iq 9 ous» ‘eusy uead 


‘ano nite xeput uead 


uppe sw ‘uppe so uead 


14 “Sx ~Q>y “ex UeAd 
bas = snq adh} 

| ] bas = Si!q @ addy 
‘t ] bes = S3!q € adAy 
‘p ] bas = Si!q G adA} 
‘g ] bas = S3!q 9 adA} 
‘Zit ] bes = sitq et adAz 
] bas = uaisi6Beu s, addy 


uol}eueLoap 


Pid | @. oF oud oye 


80 


#!q [ O''b ] bas : poasy ‘poss ‘pokes ‘poosy yzIM 


Sitq st gO { 1E°°O }] Aeuue 


dnjpua 
dnjpua 
#!q [ 0°'S ] bas : usezeweued q 
¥!q [ O''v ] bas : uazyoweued e 
z!q [ 0° '9 ] bas : epoodo 
atdn3z 
dn}pue 
Si(qu9 = aq 
Si1q 9: e 
S¥1q 9:59 
atdn}z 
SiLq 8 3 66 (SER VOL ISIN SuIN 
Si'!q Bt go [ Z°'O ] A@uue : Zesodund | eusueb6 
¥!q $0 [O''}] bas = odwy YyzIM 
sitq et gO [ €°°O°-] Aeuue : xepul 
Si!q gt go [ €2°°'O ] ACuue =: asodund | eusuaeb 
aidnz 


Si iqmemago [ be> 70 J Aeaue 
Su0YS | eOO, UeA 
snq : Snq 3nOo SO Uea 
21q : pus ys ueA 


#iq : yoo uea 


tO. .2) pee. : coe tw 
pita 6) wef ©. .0 1 ewe teat _) een 


erica St : e4A0! fon iat 


oie 


2ia¢ { 0. .8 | pee . aoe 
27a i 6, -> | pe “e're4aq « 
- ; Tie | &@ .? | pee ‘Si earmremey of 
1 awiters 
quitre 
erid #8) 96 £ 1C..0 ) wees 


tid f 0. .8 } ges heel .Dost ,boe 6007 ridviv 


81 


dn}pus 


Si!q Bt $0 [ 6°'O ] A@uue : ssauppe ydnuuyaejzut 


S3!Q gt > Y Gua, pLlsets 712 
S11!q 8} : SSe@uppe eseq i,1e 
Sitq 8st go [ 4°°O ] A@uue +: aL qeua ydnuuajzut 
Satoqret a yzGuel plats 
Sail) ei. ¢ sseuppe eseq 
SIIQESteso [Aer On |eAcCdUue es: adunos pueuedo 
SELGeGletOul us Os | sACase.: ueais| Ged j4Juod 
atdnz 


#1q [O'‘p] bas : eres YYIM Sitq gt go [ 1E'°°'O ] ACuue 
si!q gt go [ 16°°O ] Atuue 
SuO01YSsS | eUuueaxXS UeA 
unpus 
Ssiiq et go [ t€°°O ] A@uuee: euoxs 5) B50} 
uoLun 


!q [O' ‘tb ] bas : poas ‘posy ‘pokey ‘pods yuo,OaLas : UL Buoys [| edOL }ONUYS 


-& 


ae re 


Ee <a ; = pe 4 : e, 7 a 7 
—y pian. 01 eae (eeny We we Ee 


as aoe 
a wie § ee Te 


eee bts asad 
Morea! ofa 


seria gh? wf .)....0 7 yew - of dane_sq07wIeT 


2713.87 ere hts pea is 
ore. @ argent _bidt4? ot, 


. | Yorws . seethbe_ panies? 


_ 
* Wee | vires 


82 


unpue 


Sitq st O [ +6°°O ] Aeuue : ssuo |e 
Sitdegh wo [> be “Oj Aeude: : @40}S | eDO0l 


uolun pls; UOPDSLVS 
PlLes YFIM SiLqG gL go [ £9°°O ] Aeuue 


}ndut euo}yS | euUua}xe yONUYS 


unpua 


SJTOT SE Joul_ te: Oo Jy Aeuie- seuo |e 
SQkg eb 40-1 te. .6. | Aedde: @u0YS [edo] 


uolLun PpltoOJs UWOPDVLSS 
PLOJ¥ YYIM S21qQ BL so [ €9°°O ] ACuue 


e}ep Su0}S [Ou}UOD 39Nu3sS 


unpua 


SJtaq st.so [ 1e°-O] Auge: souez {Le 
Sita st go f te°°O ] Aeuse 2 esos feude; xs 


uoLuN eOe4 4OPDSLaS 
eoasy YFIM S7L1Q Bt Jo [ €9°°O ] Aeuue 


}Nd}NoO Beu0}S | eCUuUe}XSe JONAS 


~ 7 A sy ies 
“ioe sna 2 “sly watras ee oF notes lon ae 
reat re t 7 i 4 ’ i. T oem tn ‘wi?he = 
rca hie \ Y eae - -— ie 018 = 


r 7 _ 


83 


Ssitq gt so [ 


Si!q gf so [ 


unpue 


$€°°O ] Aeuue : sauo [Le 
Cu OmelmA Coder: SIC TSM Leo! 


uoitun plsj 40},D9L[SS 


PlSJ$ UZIM SiLQ gt go [ €9°°O ] Aeuue 


ut 34uUS 


unpua 


be’ °O ] Aeuue : sauo |(e 
be. © | Atdies BUOYS [eDO| 


uoltun | Ley uo OSes 


LEGS ULIM S7!1Q BL ¥O [ €9°°O ] ACuue 


nie 


unpus 


ee 26) I) AVR RIS = seuo | |e 
be°°O ] Aeuue : Bu0VS | edo] 


uoLunN ules uo DaLasS 


4t@s UZIM S7!1Q Bt gO [ £9°°O ] ACuue 


n_te ud 


7 a 
io SH we 


2 


rer —_ => 


ae sea 


oad ee 


_ 


, ae a 
J 


84 


/x 


/+ 
/+ 
/* 
/+ 
/+ 
/+ 
|x 
Ts 
/+ 
/* 
/+ 
/+ 
/+ 
/* 


s}iq 9 so [ 


/* woz,uUueEYyd x / 
/* SnzeYs Leqo,B 

/ x XSPUL x/ 

/* Je yULod odu x/ 

/x UOlLAL ued yesn x/ 

f/x UOl Oe Auelixne x/ 
e Lep--}Nd}NoO BSuo0}.S | CUua}xXxAa 
sseuppe--}ndul syuojS | euUus}xKE 
eyep--}Nd}No Ssuoj Ss | eUus}xS 
eyep--ynndut suojs [| euuEe}xS 
e1ep--jndjino use} lus 
eyep--j}ndul us}yslys 
e}yep--}nd}no ne 
e7ep--3Nd}NO Buo0}S [OuzZUOD 
MUL Tsao siae wy, (ays 
eyep--jNdul Suo}S [Ou}UOD 
3498,[--}Ndul NLe 
sssuppe--}ndut 84u0}VS |[Ou}UGD 
eyep--}ndjino suo Vs uLew 


ey yep/sseuppe--yndut suozys uLew 


Sua}siBeu 4¥ [Ou}PUOD jenplLseu x/ 


dnjpue 


ia Om leAc lee: 6 
(pesnun) s}iqg9 : ydigy 
* / S31q 9: 4Shd 
(pesnun) s3!q 9: xplg 
S31q 9 : odwy 

(pesnun) sitq 9 : uaesng 
(pesnun) sitq 9 : yoeS 
+ / S}!q 9 : eoas 
x / S}1q 9 > Bley 
* / S}1q 9 : poay 
« / S31 9: play 
+ / S}1q 9 : poss 
+ / Siig 5 2 piss 
+ / Si!q 9 : poe 
+ / Sliq 9 : pooy 
x / Sitq 9 >: utes 
+ / Siiq 9 : prog 
x / Sziq 9.2 [ted 
 / Sj1qQ 9 > BLOS 
¥/ S}!1q 9 : pow 
* / Ss11q 9 >: XLWy 


atdnz 
si1q 9 $o [ 1€°'O ] ACuue 


au0is Jf UeA 


- tie Feu Anat toutnes Prk 
. aTéb-—TyA? nS fies) a 


‘fsk-—ftuow vate 
steb=-Jvgartin ans Fens 


e7nb~-suwa) Bibra tenes xe 


iat Sergey -@ 1 f arenes 
PMS "hhA--Iyye wh? Tere a) 
6l4b--HNrewsee PAs terise) 94 
~~) fDA- ye! furs -©\ Ctereergy tal | 
= \* mete isen Seay ¥\ lhoiuyw) @f'o.8 > Seed - 
: Y Seinhoq aca *\ : e210 4 cue’ 
ae : . ye mv. s'2] | V teoretervin) 2770.9 ai) 
5 1 \* eutet=2 fatininy © Prima : 921% ; 
7 \s roarrniat, *\ (beeur) wird. fiqi 4 
etra_d % [ fr }] yet 0 
ap qu? brim 


85 


snq 
Siig -¢ = Sdulg UTIM 
Sitq gt $0 [ €°°O } Aeuue 
snq 
unpue 


SaCeaieesOul Le. <0) Aeaie-: seuo | |e 
Sitqvst go [ be °oO ] Aeuue - Suos | edO] 


uoltun B19} wo DSLesS 


BLOJ YZIM S7!qQ gt 4O [ €9°°O ] ACuue 


dnjpua 


no nLe xeput 


xepul 


snq ino so 


uppe 6eu 
atdnz 


aodunos uppe so 49Nu4sS 


Jppe so y2IM Sitq et go [ 6S6O0r°°O ] A@uue = 9407S) 104}U05 eA 


Fine te_T Ve 


Mod te. Sprit 
Qialtarey 


86 


unpue 
Si'q gt go [ €2°°O ] Aeuue : seuo [Le 
siiq gt go [ 4°'O ] A@uue : sways} 6eu jyu4od 
Siid e300 [=be .0_ l=Aease - SU03S [LeDO0| 
uoLun x!tws uwo,OaLes 


xtws UZIM ZIG [ O' LE ] bas jo [ €9°°O ] Atuue 


@dunos sw 3ONUYS 


dn} pus 
(pesnun) s3iq st gO [ €7°°O ] A@uue = Uolzeusdo [| {NU 
St!q at gO [ 4°'O ] Aeuue : 4aysi6eu yu4od 
Svidegh Jo .[) fo O- | ACIse= @JOUS Leo] 
aidny 
/* StLNSeu UolL}peuedo [LNU Ua BE < pows Jt «/ pows YIM 
si4q eo, 40 [69° 0.] Aeuse 


yULS SW ZONUyS 


dppe su YIM 


S}iq gt go [ G0E86°°O ] Ae@uue : Su0}s ULeW UA 


} - 
> 
7 a 


Y tae eee ; 


7 wea enh 


tare CL ore ve 
MW 1° 
(eet Sere. 6! Ve Pes 0) wenn - 


* } pee % {f°Cs. 0.) Geese 
mim x<tat wePaotew : 
> jj) ya a 
waews - TL ae *~£29 
—_ ywed"a aris! CA 


mera : 


87 


unpue 
Saliep wy 8 snq ino se 
Sauiltepysyy snq no sw 
Silene 4 s6eu uzUd 
SviCqE eiso jets ©. | ACaler: seuo [Le 
S3iqd eg} : yzyGBue, plery 
Sal Me Keyes ssouppe eseq 
SLLGT OR AE ff £°°O |} eave = edunos pueusdo 


uoLtun 


Sitcdepe> [) LIS “[OLl& “[el6 “[s]6 “qu “an “q “e ucjosies = sini esxepul yzonuzs 


unpua 
sitq gl fo [ Le*°O ] Aeuue : @uoys [eoo| 
uotun 
Siiq Gg : [eS 6 wuoJPOaLSs : yULS NLe xaepUuL }ZONUYS 
unpus 
SA Memey el 1 (Soo i) WRN = QuoYs [| ed0| 
uoLtun 


S11q°G : Tes 6 “aqy**ex ‘xy “qQ>“*e uozoeles * | nie xepur jyonuyzs 


Te 


- BwWpSZsor 


-_ 


-_ 


“Mioy > eee? -- Dos 


ae mat 


= 
— 


88 


Si!1q 9 JO [ 11°'O ] Atuue : 6 
(pesnun) sz!q 9 : ZLLnu 
(pasnun) s3!q 9 = FLLnuU 


S3¥1qQ 9 : odwy 


S}1qQ 9 : q> 
Si1iq 9: ey 
Si1q 9: q 
S}iq 9 : e 
uo.un 


Si!\Q bp : @1ES4$ uoPDSLesS : do ni ex y.ONUAYS 


unpua 
Sy Paro.: xy 
Sliqg9 = sy 
S}!1qgQ: q 


S31Q 9 : eYusy 
SitgquS sO sie tt oO. |] Aesue - 6 
uoLtun 


S3!q G : Deds6 uoOaLes : Les 6 yONuAS 


antag: 
Pie a : _ hele 


ed@ teh. .O 1 erRr oe 


_— = 
a 


Cas 


eee. aiid}: Steet tomes « qo clan’ SAR -— 


rele 


mits ~ -e* 


a7 +e. 2 w 


21rd ad 


“a7 , Gey 
re 7 
: 7 a 
aS os : / : 
7 
(Oe@edvial) a) fri ‘ 7 
(Some) 2744.4 pow 7 
agrd 2 +6 oat yas G 


eM Rr ace s ¥ ly iD 
7 j ’ pass ‘ol gl 


9 -_) 


iad 
aie 
ty i 


at 
bh 
a 
vee 


a i 
mar tae 
' ho 
a; 
Un ‘CP 4 ae f ae 7 
as 7 x 4 s ; 
y hes 


a ry 
De 
ie i - i 
fe 


dy) — 


ao t 4 ai 
v Ld “ 
i a | 
MP 4. oe nga 
V g 
‘| Pi 7M 


« 
‘ 
| ‘ 
¥ 
“ 
| © 
; 
i] 
‘ 
: ® 
i Vix 
¥ “i 
: é 


